3 Replies Latest reply on Dec 16, 2010 10:58 AM by TSGal

    Security. Server Console : duplicating a script schedule

    fabricen

      Summary

      Security. Server Console : duplicating a script schedule

      Product

      FileMaker Server

      Version

      11

      Operating system version

      Mac OS X

      Description of the issue

      This could be seen as a security issue :
      while duplicating a schedule that performs a FileMaker Script, the account name and password are duplicated as well, allowing any administrator that does not have a full access account to the file to have any script performed by the server.

      Steps to reproduce the problem

      create a schedule that perfoms a script (with a valid account/password)
      duplicate the schedule.
      In the new schedule, change the called script.
      You don't have to re-type the password.

      Expected result

      The password should not be duplicated, although I admit it's convenient in most cases.

      Actual result

      The password is duplicated with the schedule.

        • 1. Re: Security. Server Console : duplicating a script schedule
          TSGal

          FabriceN:

          Thank you for your post.

          If I had a schedule that was password protected, and a user duplicated the schedule, I wouldn't want the password removed from the duplicated schedule.

          Can you discuss this a bit more as to why this should change?  Perhaps a preferences setting?

          TSGal
          FileMaker, Inc.

          • 2. Re: Security. Server Console : duplicating a script schedule
            fabricen

            Hi,

            Let's take the example of a FileMaker consultant installing a FileMaker solution at a customer's, or now with FMSA 11 a super admin delegating administration rights to group administrators.

            In both cases, the 'delegate' has access to the admin console, but may not have full access on the file.

            Now, let's say that the solution is designed in a way that relies on server side scripts. The 'super admin' or 'consultant' can set up a scheduled script using his full access account.

            But anyone with access to the the schedules can now duplicate it and have it perform another script, even without giving the full access credentials.

            Hope I made it more understandable (:unsure:)

            Fabrice

            PS : about security, this forum authentication system has some major issues. Sometimes it simply breaks, and when it does, it returns the password in the login field. And in readable format, of course.

            • 3. Re: Security. Server Console : duplicating a script schedule
              TSGal

              FabriceN:

              Thanks for the explanation, and it does provide a little more information. However, I do think if this was changed, there would be a security issue because other people could duplicate the schedule and make previously unauthorized changes.

              I encourage you to enter this suggestion into our Feature Requests web form at:

              http://www.filemaker.com/company/contact/feature_request.htm

              When entering the suggestion, please give a real-life example with a good explanation to why this should change, or explain that this should be an additional setting for the reasons you laid out.  Let Development and Product Management (who read these web entries) discuss the pros and cons of this proposed change.

              TSGal
              FileMaker, Inc.