4ward:It's a blue world!

[deepquest () NETSCAPE NET (deepquest () NETSCAPE NET)]

/*off topic: please in the list disable or add filter to your 
auto-reply*/

from:http://www.blueworld.com/blueworld/news/05.01.00-FM5_Sec
urity.html

(.../...)
                        The precise details of how to exploit 
these holes is minimized to prevent compromising the 
integrity of all current Internet-accessible FileMaker Pro 5 
databases and mail servers. However, details can be easily 
deduced by referencing the FileMaker Pro 5 documentation and 
by consulting the FileMaker XML Technology Overview white 
paper available via the FileMaker XML Central Web site.

                        1. Anyone on the Internet can view 
all data in a FileMaker Pro 5 Web accessible database 
regardless of Web Database Security preferences set to deny 
such access.

                        With FileMaker Pro 5 it is possible 
to return data in XML format based upon a request submitted 
by anyone on the Internet. The XML publishing capabilities of 
the FileMaker Pro 5 Web Companion cannot be disabled 
separately from the Web Companion. The XML publishing 
capabilities bypass certain crucial aspects of FileMaker Pro 
5 Web security allowing anyone on the Web to view any data 
within a FileMaker Pro 5 database.

                        The hole allows anyone to view 
sensitive data contained within FileMaker Pro 5 databases 
such as credit card numbers, passwords, employee records, and 
trade secrets that are not intended for public access.

                        2. Anyone on the Internet can use the 
Web Companion's email capabilities to retrieve all data 
contained in any FileMaker Pro 5 Web Companion enabled 
database regardless of Web Database Security preferences set 
to deny such access.

                        FileMaker Pro 5 Web Companion new 
email capabilities include the ability to specify that any 
field in a database be used as the format for the body of the 
email message. This new functionality can be accessed through 
a request submitted by anyone on the  Internet. The new email 
capabilities can be used to bypass certain crucial aspects of 
FileMaker Pro 5 Web security allowing anyone on the Web to 
send the contents of any database field via email to 
themselves or a third party.

                        The hole makes it possible to access 
and rapidly distribute across the Internet sensitive 
information stored in FileMaker Pro 5 databases not intended 
for viewing by the general public.

                        3. Anyone on the Internet can use Web 
Companion's email capabilities to send anonymous or 
impersonated email thereby compromising the integrity of any 
targeted mail server.

                        The hole allows anyone to anonymously 
flood email accounts and mask or impersonate the true 
identity and source of the originating message making it 
virtually impossible to trace the origin of malicious 
activity.

                        For example, anyone on the Web could 
access any organization's FileMaker Pro 5 powered Web site 
and submit a query that contains commands which instruct the 
Web Companion to send an email from the president of the 
organization instructing all employees not to show up to 
work. As the email would originate from the organization's 
own servers, it would be virtually impossible to trace the 
true location of the perpetrator.
(.../...)
solutions exist look at 
http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security
.html