3 Replies Latest reply on Feb 13, 2014 7:01 AM by CamelCase

    Security hole in WebDirect

    MarkusNoser

      Summary

      Security hole in WebDirect

      Product

      FileMaker Server

      Version

      13

      Operating system version

      Webbrowser

      Description of the issue

      In the URL of the WebDirect Site, everyone can see which layout is actually shown. With a little guess and try the user can gain access to secret layouts.
      In my eyes it is a big security hole.
      To use unguessable names for layouts is not a solution.

      Steps to reproduce the problem

      Stay at version 12 with IWP.

        • 1. Re: Security hole in WebDirect
          CamelCase

               This seems to be a misunderstanding of how FileMaker security works.

               If you define each privilege set's layout access properly, users can only access the layouts they are supposed to be able to access, no matter how they manipulate the URL.

          • 2. Re: Security hole in WebDirect
            MarkusNoser

                 No, the privilege sets are no option.

                 We handle the access privileges to the different layouts in a table in the database.
                 The users will see only the navigation buttons that are allowed to access.
                 All web users have the same "FileMaker privilege set" and in this case the same access rights to the layouts.

                 If we would give the access with the FileMaker privilege sets we have to define very much privilege sets.

                 If we only have 5 Layouts for the Webusers, we have to build 30 privilege set's.
                 (only Layout 1, only Layout 2, … then Layout 1 & 2, Layout 1 & 3, … and so on)

                 And with 10 Layout there are 1022 possibilities. This is no option.

                 The privilege sets is ok to protect the layouts you use for development but
                 not to restrict access to the user layouts like "budget", "contact", "billing", …

                 If I connect with a FileMaker Client I can only access the layouts that I can reach by a script.
                 Why it is different in WebDirect?
                 I thought WebDirect should align the functionality to the FileMaker Client.

            • 3. Re: Security hole in WebDirect
              CamelCase

                   I wouldn't really call this a security issue in the strict sense, but you can always use a OnLayoutEnter script trigger to prevent users from accessing layouts by other means than your navigation scripts. Not as elegant as one would like, of course.