dtcgnet

Open Remote security issue?

Discussion created by dtcgnet on Sep 15, 2016
Latest reply on Sep 28, 2016 by dtcgnet

Product and version FMPA, 15.0.1.119; FMS 15.0.1.137

OS and version OS X El Capitan, 10.11.5

Browser and version (for WebDirect only)

Hardware MacBook Pro

Description There are two settings in the Host Setup section of the Open Remote dialog: 1) Show all available files for this host, and 2) Show only these files. Using FMS 15 as the host, when you first go to Open Remote, you're required to enter credentials. With the FMP host settings set to "Show all available files", you will be shown all files for which the credentials you enter are valid. You will NOT be shown files for which the credentials you enter are not valid. However, with the setting "Show only these files", if the credentials you enter are valid for any file on the server, then you will be shown every database in the "Show only these files" list, even if the credentials you enter will not allow you access to those files.

How to replicate Set File Settings to "Show all available files for this host", click Save, and select the host. Enter valid credentials for a database (the credentials could be the same for more than one database [as in a multi-file solution]). You'll see only databases for which those credentials are valid. Change the File Settings to "Show only these files" and enter the names of a number of databases. Save. Select the host, and enter credentials valid for a database which you did NOT include in the "Show only these files" list. You will be shown databases for which you do not have access (and you won't see the one which you left out of the list but which was the one that matched the credentials you entered). (By the way, my FileMaker Server is set to "List only the databases each user is authorized to access" in the File Display Filter area.)

Workaround (if any) None

 

If I enter File1, File2, File3, File4, File5 in the "Show only these files" list, and I only have access to File1 and I've selected the FMS option to "List only the databases each user is authorized to access", then I should NOT see File2, File3, File4, File5. However, I will see all five files.

 

If I have a multi-file solution and users should only open FileA (which would then open FileB and FileC as part of the startup script), then the user's credentials would be valid for FileA, FileB, and FileC. I would NOT want to show FileB and FileC in the list of available files, so I'd select "Show only these files" and I'd list only FileA. But if SuperSecretFile1 and SuperSecretFile2 were also in the list, then I'd be able to see those databases listed when I entered my valid credentials for FileA.

Outcomes