8 Replies Latest reply on May 9, 2017 9:26 AM by TSGal

    Debugger is leaking nformation to Unauthorised users

    Malcolm

      Environment

      FMPA 15.0.1.119

      Mac OS X 10.11.6

      MacBook Pro (Retina, 15-inch, Mid 2015)

      CPU 2.5 GHz Intel Core i7

      RAM 16 GB 1600 MHz DDR3

       

      Issue:

      An unauthorised user should not be able to obtain any information from the debugger.

       

      What actually happens:

      The debugger reveals the call stack to an unauthorised user.

       

      Workaround:

      none.

       

      To Reproduce:

      Using FMPA, open the debugger and then run a script. In my testing I was attempting to view the login process. So, with the file closed I opened the debugger window. Then I opened the file.

       

      In the first instance I tried to login using an account which was not in the file. The script debugger does not reveal anything to the user.

       

      In the second instance I used a valid account which did not have full access privileges. When I do this the script debugger begins to leak information. I am able to see the names of the scripts being used in the file open sequence.

        • 1. Re: Debugger is leaking nformation to Unauthorised users
          TSGal

          Malcolm:

           

          Thank you for your post.

           

          For that privilege set, make sure your scripts is set for no access.  If you have script access set for either executable or modifiable, then the script name will display.  When set to "no access", the script name will not appear, and nothing will appear in the Call Stack.

           

          TSGal

          FileMaker, Inc.

          • 2. Re: Debugger is leaking nformation to Unauthorised users
            Malcolm

            Hi TSGal,

             

            Isn't the primary purpose of privilege sets to secure the database in an

            untrustworthy environment? As a developer who is trying to secure a

            solution, I am struggling with the idea that I should rewrite all my

            privilege sets as a way to control the behaviour of the script debugger.

             

            Also, I want these users to be able to execute the scripts.

             

            In the situation that I have described I am logging into the database as

            an user who has a valid account name/password. When I do this with the

            debugger running, all of the scripts involved in the opening process are

            revealed in the Call Stack. That is the problem. The debugger is leaking

            information to an unauthorised user. It is not necessary for the user to

            see this information and I would much rather than they did not.

             

            Please remember, this is the debugger. The user has not been able to

            provide valid credentials for a Full Access account. The debugger has

            responded by saying, "You are not allowed access!" At the same time it

            has opened a little window so that the user can follow the progress

            through the code. If the user does not have permission to run the

            debugger why do they have permission to watch the call stack?

             

            To repeat: I do not think that the debugger should reveal the call stack

            to a user who has not authenticated with Full Access Privileges. I

            believe the current behaviour is a security flaw. It provides an

            unauthorised user with much more information than necessary.

             

            Malcolm

            • 3. Re: Debugger is leaking nformation to Unauthorised users
              TSGal

              Malcolm:

               

              I have forwarded your comments to our Development and Testing teams for review.  When I receive any feedback, I will let you know.

               

              TSGal

              FileMaker, Inc.

              • 4. Re: Debugger is leaking nformation to Unauthorised users
                TSGal

                Malcolm:

                 

                Testing has sent the information to Development for review.

                 

                TSGal

                FileMaker, Inc.

                • 5. Re: Debugger is leaking nformation to Unauthorised users
                  alan_barker

                  As a fellow developer, I guess I can understand somewhat your concern.  However, the normal General public user is not using Advanced.  They would be using a conventional copy of Pro, and there obviously is no debugger.  So, having said that, I don't see this as a gigantic security risk.

                   

                  Alan

                  • 6. Re: Debugger is leaking nformation to Unauthorised users
                    FileKraft

                    security is never aimed at the general public user

                    • 7. Re: Debugger is leaking nformation to Unauthorised users
                      Malcolm

                      @alan_barker, what is a security risk?  Security breach, data loss, denial of service, data corruption, misuse of resources, etc, etc. They all spell trouble.

                       

                      It's quite possible that the development team may decide that the current behaviour is acceptable. After all, there are a variety of other ways in which a user may obtain the same information. They don't have to run FMPA either. However, if I were writing the attack manual I would include this sentence: any information that can be obtained from the system should be used against the system by all means available.

                      1 of 1 people found this helpful
                      • 8. Re: Debugger is leaking nformation to Unauthorised users
                        TSGal

                        Malcolm:

                         

                        This issue has been addressed in FileMaker Pro 16.

                         

                        TSGal

                        FileMaker, Inc.

                        1 of 1 people found this helpful