6 Replies Latest reply on Aug 27, 2013 7:02 PM by Malcolm

    Script Folder Names are revealed to CWP users

    Malcolm

      Summary

      Script Folder Names are revealed to CWP users

      Product

      FileMaker Server

      Version

      11.0.5.510

      Operating system version

      OS X 10.6.8

      Description of the issue

      Security

      When calling getScriptNames via CWP the names of all script folders are revealed despite the fact that the user account accessing the database has script privileges set to "All No Access".

      Steps to reproduce the problem

      create a database with a user account privilege set that has scripts set to "All No Access" and extended privileges set to fmphp.

      Write a php page which queries the database using that account and calls getScriptNames.

      Expected result

      I expect an error to be returned or an empty object.

      Actual result

      The names of all script folders are returned.

      Script folders may contain information which is expected to be secure. There is no warning that I have seen that advices the developer that Folder names will be revealed to web users regardless of the security settings in user account privilege sets.

      Databases which have been purchased from vendors will have signature folder names. If an exploitable weakness is discovered in the product the signature folder name may be used to identify the database for attack.

      Workaround

      Not use folders.

        • 1. Re: Script Folder Names are revealed to CWP users

          Malcolm Fitzgerald:

               Thank you for the post.

                

               May I see a screen shot of the script or code used which pulls the folder names? I am personally unfamiliar with "getScriptNames." Is that AppleScript?

                

               I know of the FileMaker function Get(Script Name) which will return the name of the script currently running, but that doesn't return folder names from the Manage Scripts dialogue window.

                

               TSFalcon

               FileMaker, Inc.

          • 2. Re: Script Folder Names are revealed to CWP users
            Malcolm

                 Sorry,

                 that is the wrong function name, I meant, listScripts() which is part of the FileMaker PHP API.

                 $fm = new FileMaker();
                 $fm->setProperty('hostspec', 'http://'.$host);
                 $fm->setProperty('database', $db);
                 $fm->setProperty('username', $uname);
                 $fm->setProperty('password', urldecode($pwd));
                 $scripts = $fm->listScripts();
                 if (FileMaker::isError($scripts)) {
                     if ( $scripts->getCode() == 22 ) {
                         $htm .= "You do not have access to the scripts in this database";
                     } else {
                         $htm .= "Error: " . $layouts->getMessage() . "\n";
                     }
                 } else {
                     $i = 0;
                     $htm .= '<table>';
                     foreach ($scripts as $script) {
                         ++$i;
                         $htm .= '<tr><td>'.$i.'</td><td>'.$script.'</td></tr>';
                     }
                     $htm .= "</table>";
                 }
                  

            • 3. Re: Script Folder Names are revealed to CWP users

              Malcolm Fitzgerald:

                   Thank you for the reply.

                    

                   Unless you're passing a [Full Access] FileMaker account to login through the PHP code, then knowing the script folder's names is not a security risk.

                    

                   Script folder names in FileMaker are nothing more than blank scripts, so I cannot imagine a scenario where access to blank scripts could be used to attack the database. If the account logged in through the PHP code is setup as a managed account with "All No Access" to scripts, then simply knowing the script folder's names will not allow a managed account to run any scripts that the account's user privilege set doesn't allow. 

                    

                   If you do not wish for the user to see the script folder's names, then do not code the PHP to call the names for all scripts.

                    

                   TSFalcon

                   FileMaker, Inc.

              • 4. Re: Script Folder Names are revealed to CWP users
                Malcolm
                     

                          knowing the script folder's names is not a security risk.

                     You can say that positively? 100%? How can you be sure?

                     Why would you say that leaking information from the database is not compromising security?

                     Developers put all sorts of information into Folder Names. They are like a handy, built-in outliner (Acta!). That information is being revealed to the web user .

                     The database that I'm looking at is based on a well known commercial solution. The folder names include enough information to identify the solution.

                     Does the solution have known properties? Account names? Layout names? Script names? Yes, it does. Could these be used to access/attack/compromise the system? I'm sure it could.

                     

                          If you do not wish for the user to see the script folder's names, then do not code the PHP to call the names for all scripts.

                     1. It's the internet. It is not just my code that I have to worry about. Anyone can write PHP code and point it to the server.

                     2. The account being used for the web has Scripts set to "All No Access". Repeat - All No Access.

                     3. I called ListScripts, yet the folder names are revealed.

                     4. There is no setting to reveal/restrict the display of folder names.

                     What's the problem?

                     No information should be revealed which has not been explicitly permitted. In the current security environment the "no access" setting prevents access to that object for that user account. However, there is not a "no access" setting for folder names. Should anyone wish to see folder names, they simply call listScripts. There is nothing that we can do to stop them.

                      

                • 5. Re: Script Folder Names are revealed to CWP users

                  Malcolm Fitzgerald:

                       Thank you for the reply.

                        

                       FileMaker Inc. has no control over what a developer names their script folders. All I can do is assure you that knowing a folder name (which is nothing more than a divider in FileMaker) does not allow the FileMaker user account logged in through PHP to run any scripts when the privilege set for the account is set to "All No Access." 

                        

                       I agree with you that anyone on the Internet can write PHP code and point it to the FileMaker Server; however, without a FileMaker user account name and password for the database, then they can't even reveal the names of the script folders. 

                        

                       I'm not a PHP expert by any means, but the code can be modified to filter the results the same as FileMaker. 

                        

                       The user with "All No Access" to FileMaker Scripts cannot perform any FileMaker scripts when logged in using the managed account either through PHP or FileMaker.

                        

                       TSFalcon
                       FileMaker, Inc.

                  • 6. Re: Script Folder Names are revealed to CWP users
                    Malcolm

                         After writing a long reply I got "Comment could not be posted" and my post had been destroyed.

                         In short, Filemaker builds a server product which is providing more information than has been requested. It is not possible to control/restrict that information.

                         I have used that information to discover another bug, more serious than this, and it gives me record data smiley

                         Yummy!