CWP Security Issue

Discussion created by airmoi on Nov 9, 2016
Latest reply on Nov 10, 2016 by TSGal

This issue is similar to Malcolm Fitzgerald reported issue here Malformed CWP Script Call Returns Random Record instead of an Error


A find / compound find command will return all records from the table if one of the fields specified in the query doesn't exists or is not present on the layout


Worse than that, the getRecordById() command also returns all records from the table if the specified ID don't exists !!


This is an huge security issue as it leads to data leaks :

Let's says we have a search form that exposes some fields name. If an attacker changes any field name to some invalid field name, he will get access to whole records and potentially "confidential" datas...


I know this is also the responsibility of the developper to check input/output datas, but we need to be realist, FileMaker users are not Advanced PHP developers, and website developed over PHP-API are usually handcrafted by people with few skills