Security issues with Web Publishing

From 360Works Product Documentation Wiki
Jump to: navigation, search

General FileMaker plugin security

You should exercise care when using any FileMaker plugin from within the Web Publishing Engine. This is allowing remote users to execute code on the server machine, which can potentially be used maliciously if you do not guard against that possibility. For example, let's say that you have a file manipulation plugin installed that can read the contents of a file and display it in a FileMaker field. If you create a web publishing interface that allows the user to enter any path for the file to read, they could read any file on the server's hard drive and view the result of that in the web published database.

This does not mean that you should never use plugins with the web publishing - just make sure that you access them through scripts, and that the inputs to these scripts cannot be maliciously manipulated by users accessing your site.

Security Dialog when accessing WPE pages or Zulu

Sometimes there can be permissions issues or misconfigured security settings if FileMaker Server has been deployed multiple times. Your web server has its own settings which may not be removed when FMS is redeployed or uninstalled. FileMaker has posted instructions at which can help you clear settings from a previous FileMaker Server deployment which can help resolve these issues.

On IIS you should also make sure that "Integrated Windows authentication" is not checked in Default Site -> Properties -> Directory Security -> Edit.

SafetyNet and IIS Manager

Please note: Windows authentication needs to be disabled on IIS manager

Screenshot: Disable Windows Authentication on IIS Manager
Personal tools

Plug-in Products
Other Products