5 Replies Latest reply on May 4, 2009 3:37 PM by TSGal

    FMS 9 PHP security issue

    tas

      Title

      FMS 9 PHP security issue

      Your post

      I have installed FileMaker Server 9 and Web Publishing Engine on the same machine as the Web Server (Apache on Mac X Server 10.4) and  I am using PHP. How do I restrict access to the Filemaker databases through php, so that there are only accessible locally from the Web Server only?

       

      The firewall on the server has all FileMaker related ports 5003, 160xx, 50003, 50006 closed.  Yet, I am a able to connect and access the filemaker  database from an external computer through php code.

       

      According to the FileMaker's document "FileMaker Server Custom Web Publishing with PHP":

      "Configure your web server to restrict the IP addresses that can access your databases via the Web Publishing Engine. For example, specify that only web users from the IP address 192.168.100.101 can access your databases. For information on restricting IP addresses, see the documentation for your web server. "

       

      Can anyone point out to me where can I find such documentation?

       

      Thanks

       

      Anastasia

        • 1. Re: FMS 9 PHP security issue
          TSGal

          tas:

           

          Thank you for your post.

           

          The Web Server documentation can probably be found on the Apple web site, but I'm unable to find it quickly.

           

          Doing a quick search on the web, I found:

           

          http://www.ciopodcast.com/index.php?option=com_content&task=view&id=224&Itemid=1

           

          From the Apache site:

           

          http://httpd.apache.org/docs/2.2/howto/access.html 

           

          Another possibility is to limit usage to 127.0.0.1, which is the local machine.  That way, if your IP address changes, it will continue to work.

           

          TSGal

          FileMaker, Inc. 

          • 2. Re: FMS 9 PHP security issue
            tas
              
            TSGal - thanks for the info.  I had already set up firewalls.  I didn't fully explain my setup.  Here is a better explanation of what's happening.
             
            This is my set up:

            MAIN SITE: 1 XServer - static ip 1.2.3.4
            Apache1 <-> WPE1 <-> FMS1


            EXTERNAL MACHINE 
            Apache2 <-> WPE2 <-> FMS2

            There is a firewall on the main site: All ports are open internally.  Only port 80 (of the filemaker related ports) is open externally. When I am outside the firewall port scans on 5003, 160xx, 50003, 5006 fail. 

            This is what happens:
            If I make the php code in the external machine, served by Apache2, use the ip address 1.2.3.4 of the main site to access the filemaker server, that is, I ask to connect to FMS1 instead of FMS2 - it succeeds!
            I fail to understand how this connection happens if all the ports are closed.
            On the main site's Filemaker Server logs, I only see connections by localhost (127.0.0.1) and by 1.2.3.4.
             
            My question is - how how do I get the WPE to listen only to my web server running on the same machine?
            • 3. Re: FMS 9 PHP security issue
              TSGal

              tas:

               

              Thanks for the clarification.

               

              FileMaker Pro needs port 5003 to transfer information back and forth.  However, if the external machine is strictly using PHP code and the main site is doing all the processing, then all you need is port 80 open because it now becomes like any other browsing web site where you send instructions and the web site displays the data.

               

              When you installed FileMaker Server, you are asked if you want Web Publishing turned on, and where the master machine is located.  If it is the same machine, WPE should listen automatically.  Maybe I'm missing what you are asking.

               

              TSGal

              FileMaker, Inc. 

              • 4. Re: FMS 9 PHP security issue
                tas
                  

                TSGal

                 

                I have a one machine deployment, behind a firewall.  I am asking if there is a way to PREVENT the scenario I described in my previous mail:

                "If I make the php code in the external machine, served by Apache2, use the ip address 1.2.3.4 of the main site to access the filemaker server, that is, I ask to connect to FMS1 instead of FMS2 - it succeeds!"

                 

                I want to stop FileMaker/WPE from accepting requests originating from an "external" source.  I just want it to accept requests from the same machine 

                 

                I have since realized that this is not possible, since any application can talk to FileMaker Server using XML though port 80. The only solution is to install an XML Gateway/Firewall on the server machine.  Can you verify this?

                 

                Thanks 

                 

                 
                • 5. Re: FMS 9 PHP security issue
                  TSGal

                  tas:

                   

                  If you stop someone from accessing port 80, then you are stopping everyone from accessing the site.  You are correct with your assumptions.

                   

                  For other people to send PHP or XML code, they would also need to know the login and data structure of the files, so I'm not sure this is really an issue.  For example, if I access Google via PHP, I would have to know the login and the data structure to do any kind of query to get a result.

                   

                  The XML Gateway/Firewall is a possible solution.

                   

                  TSGal

                  FileMaker, Inc.