2 Replies Latest reply on Apr 14, 2009 4:00 PM by TSDiva

    Security problem with View Databases Hosted by FileMaker Server

    _ian

      Summary

      Security problem with View Databases Hosted by FileMaker Server

      Description of the issue

      Our FileMaker Servers are configured to require users to enter user name and password in order to see the database files. In other words in the Security tab of the Database Server configuration on the Server Admin tool we've got "List only the databases that each user can see" selected. When using FileMaker 10.0v1 running on OS X 10.5.6 and opening remote it does ask for the user name and password but if you move the password dialog out of the way it displays all of the database files in the open remote dialog box. Since the password dialog box is modal it's not possible to interact with the listed files, but it is possible to see them which is a bit of a security problem. Our FileMaker Servers are a mix of versions 9.0.3.325 and v10.0.1.64  I can provide a screen shot that illustrates the problem, but there doesn't seem to be a way to provide one in this forum. cheersIan 

        • 1. Re: Security problem with View Databases Hosted by FileMaker Server
          TSGal

          _ian:

           

          Thank you for your post.

           

          FileMaker Server hosts all database files.  It will not hide the databases from view, because FileMaker doesn't know which file you want to open.

           

          One possible solution is to have a local file that uses a script to open the file on the server.  This would open the file using the account name and password used in the local file.  If no account name and password is used, then you will be prompted for one.

           

          Another possible solution is to rename the sensitive files on the server.  For example, XfCgRqZ.fp7 and PjtzH1e.fp7 could correspond to salaries and performance reviews.

           

          TSGal

          FileMaker, Inc. 

          • 2. Re: Security problem with View Databases Hosted by FileMaker Server
            TSDiva
              

            Ian,

             

            I apologize for the confusion. You are able to limit which files are visible in the 'Open Remote' dialog by selecting ‘List only the databases each user is authorized to access’ in the Server Admin Console. I was able to duplicate the issue that you described where all files are displayed behind the authentication dialog. I have forwarded this issue to our QA department for review.

             

            Thank you for bringing this issue to our attention.

             

            -TSDiva

            FileMaker, Inc.