Security issues with Web Publishing

From 360Works Product Documentation Wiki
(Difference between revisions)
Jump to: navigation, search
(Created page with "==General FileMaker plugin security== You should exercise care when using any FileMaker plugin from within the Web Publishing Engine. This is allowing remote users to execute...")
 
(Security Dialog when accessing WPE pages or Zulu)
Line 7: Line 7:
 
==Security Dialog when accessing WPE pages or Zulu==
 
==Security Dialog when accessing WPE pages or Zulu==
  
Sometimes there cahn be permissions issues or misconfigured security settings if FileMaker Server has been deployed multiple times.  Your web server has its own settings which may not be removed when FMS is redeployed or uninstalled.  FileMaker has posted instructions at http://help.filemaker.com/app/answers/detail/a_id/6454/kw/IIS%20Authentication/session/L3RpbWUvMTMwMzgyNzY0MC9zaWQvQjcxTGxzc2s%3D which can help you clear settings from a previous FileMaker Server deployment which can help resolve these issues.
+
Sometimes there can be permissions issues or misconfigured security settings if FileMaker Server has been deployed multiple times.  Your web server has its own settings which may not be removed when FMS is redeployed or uninstalled.  FileMaker has posted instructions at http://help.filemaker.com/app/answers/detail/a_id/6454/kw/IIS%20Authentication/session/L3RpbWUvMTMwMzgyNzY0MC9zaWQvQjcxTGxzc2s%3D which can help you clear settings from a previous FileMaker Server deployment which can help resolve these issues.
  
 
On IIS you should also make sure that "Integrated windows authentication" is not checked in Default Site -> Properties -> Directory Security -> Edit.
 
On IIS you should also make sure that "Integrated windows authentication" is not checked in Default Site -> Properties -> Directory Security -> Edit.

Revision as of 20:28, 12 December 2014

General FileMaker plugin security

You should exercise care when using any FileMaker plugin from within the Web Publishing Engine. This is allowing remote users to execute code on the server machine, which can potentially be used maliciously if you do not guard against that possibility. For example, let's say that you have a file manipulation plugin installed that can read the contents of a file and display it in a FileMaker field. If you create a web publishing interface that allows the user to enter any path for the file to read, they could read any file on the server's hard drive and view the result of that in the web published database.

This does not mean that you should never use plugins with the web publishing - just make sure that you access them through scripts, and that the inputs to these scripts cannot be maliciously manipulated by users accessing your site.

Security Dialog when accessing WPE pages or Zulu

Sometimes there can be permissions issues or misconfigured security settings if FileMaker Server has been deployed multiple times. Your web server has its own settings which may not be removed when FMS is redeployed or uninstalled. FileMaker has posted instructions at http://help.filemaker.com/app/answers/detail/a_id/6454/kw/IIS%20Authentication/session/L3RpbWUvMTMwMzgyNzY0MC9zaWQvQjcxTGxzc2s%3D which can help you clear settings from a previous FileMaker Server deployment which can help resolve these issues.

On IIS you should also make sure that "Integrated windows authentication" is not checked in Default Site -> Properties -> Directory Security -> Edit.

Personal tools
Namespaces

Variants
Actions
Plug-in Products
Other Products
Navigation
Toolbox