jQuery.extend(Drupal.settings, {"basePath":"\/","CTools":{"pageId":"page-accb63abe2b80fdf02c80e0981de5318"},"googleanalytics":{"trackOutgoing":1,"trackMailto":1,"trackDownload":1,"trackDownloadExtensions":"7z|aac|avi|csv|doc|exe|flv|gif|gz|jpe?g|js|mp(3|4|e?g)|mov|pdf|phps|png|ppt|rar|sit|tar|torrent|txt|wma|wmv|xls|xml|zip"},"lightbox2":{"rtl":0,"file_path":"\/(\\w\\w\/)sites\/default\/files","default_image":"\/sites\/all\/modules\/lightbox2\/images\/brokenimage.jpg","border_size":"2","font_color":"000","box_color":"fff","top_position":"","overlay_opacity":"0.6","overlay_color":"000","disable_close_click":1,"resize_sequence":"0","resize_speed":100,"fade_in_speed":100,"slide_down_speed":100,"use_alt_layout":0,"disable_resize":0,"disable_zoom":0,"force_show_nav":0,"loop_items":1,"node_link_text":"","node_link_target":0,"image_count":"Image !current of !total","video_count":"Video !current of !total","page_count":"Page !current of !total","lite_press_x_close":"press \x3ca href=\"#\" onclick=\"hideLightbox(); return FALSE;\"\x3e\x3ckbd\x3ex\x3c\/kbd\x3e\x3c\/a\x3e to close","download_link_text":"","enable_login":false,"enable_contact":false,"keys_close":"c x 27","keys_previous":"p 37","keys_next":"n 39","keys_zoom":"z","keys_play_pause":"32","display_image_size":"","image_node_sizes":"()","trigger_lightbox_classes":"","trigger_lightbox_group_classes":"","trigger_slideshow_classes":"","trigger_lightframe_classes":"","trigger_lightframe_group_classes":"","custom_class_handler":0,"custom_trigger_classes":"","disable_for_gallery_lists":true,"disable_for_acidfree_gallery_lists":true,"enable_acidfree_videos":true,"slideshow_interval":5000,"slideshow_automatic_start":true,"slideshow_automatic_exit":true,"show_play_pause":true,"pause_on_next_click":false,"pause_on_previous_click":true,"loop_slides":false,"iframe_width":"600","iframe_height":"400","iframe_border":0,"enable_video":0},"thickbox":{"close":"Close","next":"Next \x3e","prev":"\x3c Prev","esc_key":"or Esc Key","next_close":"Next \/ Close on last","image_count":"Image !current of !total"}});
<div class="content_inn"><!--[if !IE]>Start left content<![endif]-->
<div class="left_panal">
<div class="left_content_box">
<div class="left_inner_box_heading"><h1>FileMaker Pro 5 Web Security Alert</h1></div>
<div class="left_inner_box_inn">
<div style="float:right; margin:5px;">
</div>
<p>Blue World Announces FileMaker Pro 5 Web Security Alert</p>
<p>May 1, 2000</p>
<p>Blue World Communications, Inc.--pioneers of the Web Data Engine(tm)--today<br />
announced to customers, partners, vendors, Internet security regulators,<br />
and the wider FileMaker Pro Web community that it has discovered at least<br />
three serious security holes in the Web Companion provided in the FileMaker<br />
Pro 5 product line. The security holes are a result of new XML and email<br />
capabilities introduced in the FileMaker Pro 5 product line. The first<br />
security hole permits anyone on the Internet to view all data contained in<br />
any FileMaker Pro 5 Web Companion configured database made accessible on<br />
the Internet, regardless of Web Database Security preferences set to deny<br />
such access. The second security hole permits anyone on the Internet to use<br />
the Web Companion's email capabilities to send email with data contained in<br />
any FileMaker Pro 5 Web Companion enabled database, regardless of Web<br />
Database Security preferences set to deny such access. The third security<br />
hole permits anyone on the Internet to use FileMaker Pro 5 Web Companion to<br />
send anonymous or impersonated email.</p>
<p>The problems affect all organizations with Web sites that utilize FileMaker<br />
Pro 5 Web Companion. The email problems can affect any organization that<br />
hosts a mail server. FileMaker, Inc. has been notified.</p>
<p>Security Holes</p>
<p>The precise details of how to exploit these holes is minimized to prevent<br />
compromising the integrity of all current Internet-accessible FileMaker Pro<br />
5 databases and mail servers. However, details can be easily deduced by<br />
referencing the FileMaker Pro 5 documentation and by consulting the<br />
FileMaker XML Technology Overview white paper available via the FileMaker<br />
XML Central Web site.</p>
<p>1. Anyone on the Internet can view all data in a FileMaker Pro 5 Web<br />
accessible database regardless of Web Database Security preferences set to<br />
deny such access.</p>
<p>With FileMaker Pro 5 it is possible to return data in XML format based upon<br />
a request submitted by anyone on the Internet. The XML publishing<br />
capabilities of the FileMaker Pro 5 Web Companion cannot be disabled<br />
separately from the Web Companion. The XML publishing capabilities bypass<br />
certain crucial aspects of FileMaker Pro 5 Web security allowing anyone on<br />
the Web to view any data within a FileMaker Pro 5 database.</p>
<p>The hole allows anyone to view sensitive data contained within FileMaker<br />
Pro 5 databases such as credit card numbers, passwords, employee records,<br />
and trade secrets that are not intended for public access.</p>
<p>2. Anyone on the Internet can use the Web Companion's email capabilities to<br />
retrieve all data contained in any FileMaker Pro 5 Web Companion enabled<br />
database regardless of Web Database Security preferences set to deny such<br />
access.</p>
<p>FileMaker Pro 5 Web Companion new email capabilities include the ability to<br />
specify that any field in a database be used as the format for the body of<br />
the email message. This new functionality can be accessed through a request<br />
submitted by anyone on the Internet. The new email capabilities can be used<br />
to bypass certain crucial aspects of FileMaker Pro 5 Web security allowing<br />
anyone on the Web to send the contents of any database field via email to<br />
themselves or a third party.</p>
<p>The hole makes it possible to access and rapidly distribute across the<br />
Internet sensitive information stored in FileMaker Pro 5 databases not<br />
intended for viewing by the general public.</p>
<p>3. Anyone on the Internet can use Web Companion's email capabilities to<br />
send anonymous or impersonated email thereby compromising the integrity of<br />
any targeted mail server.</p>
<p>The hole allows anyone to anonymously flood email accounts and mask or<br />
impersonate the true identity and source of the originating message making<br />
it virtually impossible to trace the origin of malicious activity.</p>
<p>For example, anyone on the Web could access any organization's FileMaker<br />
Pro 5 powered Web site and submit a query that contains commands which<br />
instruct the Web Companion to send an email from the president of the<br />
organization instructing all employees not to show up to work. As the email<br />
would originate from the organization's own servers, it would be virtually<br />
impossible to trace the true location of the perpetrator.</p>
<p>Solutions</p>
<p>There are four potential solutions to close the security holes. The first<br />
three require disabling portions of FileMaker Pro's built-in Web Companion<br />
or downgrading to a previous and safer version of FileMaker Pro. The final<br />
solution entails using a third party product, such as Lasso Web Data<br />
Engine, to protect FileMaker Pro 5 databases on the Web.</p>
<p>A. Disable the FileMaker Pro Web Companion. This disables the automatic XML<br />
Publishing and email capabilities of FileMaker Pro 5.</p>
<p>B. Don't use FileMaker Pro 5. Earlier versions of FileMaker Pro Web<br />
Companion do not contain these security flaws.</p>
<p>C. Use FileMaker Pro access privileges rather than the Web Security<br />
Database. (Note: This only addresses the first two security issues reported<br />
here.) While FileMaker Pro access privileges seemingly offer a solution to<br />
this problem, they do not provide certain important additional features<br />
otherwise provided in the Web Security Database. As such, it is not a<br />
viable option for Web developers who require specific Web-related security<br />
features.</p>
<p>D. Use Lasso Web Data Engine as a secure proxy to FileMaker Pro 5 Web<br />
Companion. Configure FileMaker Pro Web Companion to limit access to the IP<br />
address of the machine on which Lasso is installed. You can then safely use<br />
Lasso security to protect your FileMaker Pro 5 databases.</p>
<p>Blue World Policy on Security Alerts</p>
<p>Blue World notifies customers, partners, and vendors as quickly as possible<br />
regarding any problems pertaining to the secure use of Blue World products<br />
either as they exist unto themselves or when used in combination with other<br />
products. Blue World strives to deliver appropriate information so the<br />
seriousness of any security related problem is clearly understood and<br />
widely known in an effort to best serve all those potentially affected by<br />
security issues. As appropriate, Blue World will limit the amount of<br />
detailed information revealed so as to not potentially compromise the<br />
integrity of currently deployed and publicly accessible solutions based<br />
upon any vendors' products, including those vendors' products which<br />
directly compromise the security of any solution built using Blue World<br />
products.</p>
<p>Additional Information</p>
<p>Additional information is not available from Blue World. FileMaker, Inc.<br />
can be contacted via contacts listed on the FileMaker, Inc. Web site at<br />
<a href="http://www.filemaker.com" title="http://www.filemaker.com">http://www.filemaker.com</a>. Interested parties who wish to discover how the<br />
FileMaker Pro community reacts to this issue are cordially invited to join<br />
the Blue World FileMaker Pro Talk email discussion forum, details provided<br />
at <a href="http://www.blueworld.com/blueworld/lists/filemaker.html" title="http://www.blueworld.com/blueworld/lists/filemaker.html">http://www.blueworld.com/blueworld/lists/filemaker.html</a>. An archive<br />
containing all posts to FileMaker Pro Talk may be found at<br />
<p>Blue World Communications, Inc. (<a href="http://www.blueworld.com" title="http://www.blueworld.com">http://www.blueworld.com</a>) delivers<br />
cross-platform software tools allowing Web developers and designers to<br />
quickly build and deploy powerful data-driven Web applications. Blue World<br />
provides Lasso Web Data Engine, Lasso Studio for Dreamweaver, Blue World<br />
Store and Blue World ListSearch service in fulfillment of its mission to<br />
bring business to the Internet.</p>
<div class="links"><ul class="links inline"><li class="comment_forbidden first last"><span><a href="/user/login?destination=comment%2Freply%2F81119%23comment-form">Login</a> or <a href="/user/register?destination=comment%2Freply%2F81119%23comment-form">register</a> to post comments</span></li>
</ul></div>
</div>
<div class="left_inner_box_bottom"> </div>
</div>
<!--[if !IE]> End left box inner page <![endif]--></div>
<!--[if !IE]>End left content<![endif]--> <!--[if !IE]>Start right content<![endif]-->
<span class="field-content"><a href="http://forums.applecentral.com/ubbthreads.php/topics/537782/Analyst_sees_iPad_killers_less#Post537782" target="_blank"> Analyst sees iPad killers le...</a></span>
</div>
</div>
<div class="views-row views-row-5 views-row-odd">
<div class="views-field-title">
<span class="field-content"><a href="http://forums.applecentral.com/ubbthreads.php/topics/537649/Small_business_accounting_soft#Post537649" target="_blank"> Small business accounting so...</a></span>
<span class="field-content">Introducing the App Hall of Fame!</span>
</div>
<div class="views-field-body">
<div class="field-content"><div class="body-row" id="body-row-213485"><div style="background:#F5F5F5;">App discoverability continues to be a real issue. With the fast churn of apps in the App Store, an app has only a few weeks of promotional life in it before it‚Äôs largely forgotten. There are a few things developers can do to fix that, but those... | Read more »</div></div></div>
<span class="field-content">Gobliiins Are Coming</span>
</div>
<div class="views-field-body">
<div class="field-content"><div class="body-row" id="body-row-213486"><div style="background:#F5F5F5;">In the midst of the huge Q4 launch schedule, the cult classic, Gobliiins, as well as the rest of the trilogy, are being ported to the iPhone in all of their original glory. The Goblins trilogy was a quirky Atari/Amiga game series from the early 90‚Äôs... | Read more »</div></div></div>
</div>
</div>
<div class="views-row views-row-3 views-row-odd">
<div class="views-field-title">
<span class="field-content">myPhoneDesktop – Chrome to iPhone Extens...</span>
</div>
<div class="views-field-body">
<div class="field-content"><div class="body-row" id="body-row-213469"><div style="background:#F5F5F5;">Anyone who has used myPhoneDesktop knows that it is a fantastic tool for streamlining your onscreen workflow. Instead of having to type line after line into your phone directly, you can use myPhoneDesktop to type from your computer directly into... | Read more »</div></div></div>
<span class="field-content">AutoVerbal Talking Soundboard Pro helps...</span>
</div>
<div class="views-field-body">
<div class="field-content"><div class="body-row" id="body-row-213471"><div style="background:#F5F5F5;">Being able to speak and communicate with others is something that many of us take for granted. It‚Äôs not so easy for many folks though, in particular for individuals with autism spectrum disorders, as well as those who have suffered various brain... | Read more »</div></div></div>
<span class="field-content">Get Your Roast Right With ‘Time To Roast...</span>
</div>
<div class="views-field-body">
<div class="field-content"><div class="body-row" id="body-row-213473"><div style="background:#F5F5F5;">Roasting meat, in the cooking world, is about as simple as it gets. The greatest roast recipe I‚Äôve ever found is from Michael Ruhlman‚Äôs website, with the recipe titled, ‚ÄúThe World‚Äôs Most Difficult Roasted Chicken Recipe.‚Äù | Read more »</div></div></div>
MacTech is a registered trademark of Xplain Corporation. Xplain, "The journal of Apple technology", Apple Expo, Explain It, MacDev, MacDev-1, THINK Reference, NetProfessional, Apple Expo, MacTech Central, MacTech Domains, MacNews, MacForge, and the MacTutorMan are trademarks or service marks of Xplain Corporation. Sprocket is a registered trademark of eSprocket Corporation. Other trademarks and copyrights appearing in this printing or software remain the property of their respective holders. Not responsible for typographical errors.
</div>
</div>
<div class="footer_bottom"></div>
</div>
<div id="bootom_foo_ter">All contents are Copyright 1984-2010 by Xplain Corporation. All rights reserved. Theme designed by <a href="http://www.icreon.com">Icreon</a>.</div>
<div id="newuser-popup" style="font-size:14px">Greetings, and welcome to the new MacTech web site! Our home page is designed to be your <cite>Industry Dashboard</cite> -- so you can have a snapshot of all that's relevant in the industry in one easy location. Many readers tell us that because the information is updated so frequently, they are now checking the site multiple times a day.
Here's a quick run down of the features on the new web site, which can be subtle.
<UL><LI>We're running regular raffles. If you want free stuff make sure to register. <a href="/register">It's easy and only takes a minute!</a>
<LI>Registering for the site allows you greater functionality.
<LI>The first few blocks are original content from MacTech (for geeks) and our sister web site, MacNews (for general users)
<LI>Below that are MacTech's scanners, which scan the web and organizes it into News, Rumors, and Documentation. Updated every 15 minutes.
<LI>Our Whitepapers, Screencasts, and Videos section give you insight into great products
<LI>The Community Search narrows your search to the most relevant of Apple related sites for better results
<LI>The forums give you a place to ask questions, and share your knowledge.
<LI>Our partners at MacUpdate, MacPrices.net and the Jobs Boards keep you up to date
<LI>Want to see all the news in one big list? Check out our new <a href="/firehose">Information Firehose</a>
<LI>And, don't forget the Apple Central area, and ads throughout the site. Advertisers are what make the site possible</UL>
We truly hope you <a href="/register">register</a> so that we can keep you up to date about new features as they are implemented. And, please use the BETA button in the top right to provide us any feedback, suggestions or bugs. We love to hear from you. </div>
<!--[if !IE]>End pop_up<![endif]-->
<!-- Google Analytics now handled by Google Analytics Module in drupal -->
<!--VISISTAT SNIPPET//-->
<script type="text/javascript">
var DID=13280;
var pcheck=(window.location.protocol == "https:") ? "https://sniff.visistat.com/live.js":"http://stats.visistat.com/live.js";
