[14763] in bugtraq
4ward:It's a blue world!
daemon@ATHENA.MIT.EDU (deepquest@NETSCAPE.NET)
Wed May 3 13:53:08 2000
Message-Id: <20000502223415.28564.qmail@securityfocus.com>
Date: Tue, 2 May 2000 22:34:15 -0000
Reply-To: deepquest@NETSCAPE.NET
From: deepquest@NETSCAPE.NET
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
/*off topic: please in the list disable or add filter to your
auto-reply*/
from:http://www.blueworld.com/blueworld/news/05.01.00-FM5_Sec
urity.html
(.../...)
The precise details of how to exploit
these holes is minimized to prevent compromising the
integrity of all current Internet-accessible FileMaker Pro 5
databases and mail servers. However, details can be easily
deduced by referencing the FileMaker Pro 5 documentation and
by consulting the FileMaker XML Technology Overview white
paper available via the FileMaker XML Central Web site.
1. Anyone on the Internet can view
all data in a FileMaker Pro 5 Web accessible database
regardless of Web Database Security preferences set to deny
such access.
With FileMaker Pro 5 it is possible
to return data in XML format based upon a request submitted
by anyone on the Internet. The XML publishing capabilities of
the FileMaker Pro 5 Web Companion cannot be disabled
separately from the Web Companion. The XML publishing
capabilities bypass certain crucial aspects of FileMaker Pro
5 Web security allowing anyone on the Web to view any data
within a FileMaker Pro 5 database.
The hole allows anyone to view
sensitive data contained within FileMaker Pro 5 databases
such as credit card numbers, passwords, employee records, and
trade secrets that are not intended for public access.
2. Anyone on the Internet can use the
Web Companion's email capabilities to retrieve all data
contained in any FileMaker Pro 5 Web Companion enabled
database regardless of Web Database Security preferences set
to deny such access.
FileMaker Pro 5 Web Companion new
email capabilities include the ability to specify that any
field in a database be used as the format for the body of the
email message. This new functionality can be accessed through
a request submitted by anyone on the Internet. The new email
capabilities can be used to bypass certain crucial aspects of
FileMaker Pro 5 Web security allowing anyone on the Web to
send the contents of any database field via email to
themselves or a third party.
The hole makes it possible to access
and rapidly distribute across the Internet sensitive
information stored in FileMaker Pro 5 databases not intended
for viewing by the general public.
3. Anyone on the Internet can use Web
Companion's email capabilities to send anonymous or
impersonated email thereby compromising the integrity of any
targeted mail server.
The hole allows anyone to anonymously
flood email accounts and mask or impersonate the true
identity and source of the originating message making it
virtually impossible to trace the origin of malicious
activity.
For example, anyone on the Web could
access any organization's FileMaker Pro 5 powered Web site
and submit a query that contains commands which instruct the
Web Companion to send an email from the president of the
organization instructing all employees not to show up to
work. As the email would originate from the organization's
own servers, it would be virtually impossible to trace the
true location of the perpetrator.
(.../...)
solutions exist look at
http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security
.html
