james.gould

Scripted Security Challenge!

Discussion created by james.gould on Oct 19, 2012
Latest reply on Feb 12, 2013 by Mike_Mitchell

I am currently in the process of changing one of our solutions to the 'seperation model' with two seperate files for the interface and the data.

 

Ideally I would like to keep their existing FileMaker user accounts, without duplicating them in both files.

 

I have come up with the following solution (in the attached Archive.zip) where you log in to your user account in inferface.fmp12 ( Admin / password )

 

I have set the Open File user account on data.fmp12 to a user account called 'Data Entry' so that the user is not asked for another set of user details when they login - obviously this presents a security risk should somebody try to open the file directly. The file is kept on a server which isn't publicly accesible, but I feel it is best to implement some level of security over the data anyway. So to stop the automatic login if the file is opened manually, rather than as a data source for the interface, the is an onFirstWindowOpen script trigger that forces you to relogin.

 

I have created a layout called 'SECRET-WORD' - please could you download Archive.zip and tell me the secret word if you can get to that layout (in data.fmp12), thus proving there is a security problem with the file... (and an explanation of the loophole!)

 

While browsing for similar threads before posting this, somebody else suggested automatic login to the dummy interface and then storing all the user accounts in the data file... Which I think would be more secure... Layout viewing permissions would likely be a problem, but the security would be around the actual data. (However obviously if the interface blocked access to any layout which would allow the user to edit the data, I think this would have the same effect, unless somebody broke into the data file directly)

Attachments

Outcomes