Injecting Accounts into fmp12 files via FMUpgradeTool v26

Claris has extended the FMUpgradeTool in the recent release, providing support for adding/replacing/deleting more object types, and also added the ability to generate completely new fmp12 files. Next to the new features, there have also been some undocumented breaking changes, though. I used the FMUpgradeTool in version 22.0.2 to inject accounts into fmp12 files as part of a deployment process. In short: a file is distributed to several servers, and while an update routine is running, the file should get site-specific accounts added, using passwords that are available only during runtime of the deployment process (and thus obviously not during distribution of the file). ...

June 29, 2026 · David Hamann

FMProxy – A Security Proxy for FileMaker Server

TL;DR Alex Dubov and I just released the first public version of FMProxy, a security proxy for FileMaker Server. We are currently looking for beta testers. Want to try it out? Get your copy for Ubuntu Server x86_64 or arm_64. Make sure to read the trial docs (pdf). Introduction and Research background In the last few years, Alex Dubov and I have independently been researching the security of the FileMaker platform. We both reported bugs directly to Claris and via the Apple Bug Bounty program. ...

May 30, 2026 · David Hamann

How to get rid of web server upgrade prompts when installing FileMaker Server on Ubuntu Linux

A while back the FileMaker Server (FMS) installer for Ubuntu Linux started checking the currently installed web server versions and giving warnings and an interactive prompt (!) in case of outdated versions. This is rather annoying if you like to install/upgrade your FMS non-interactively. Using ansible, for example, your playbook would just hang and you would start wondering what’s going on. Let’s see what is actually happening, why it’s happening, and how to solve it. ...

January 5, 2026 · David Hamann

FileMaker Server Admin Console: Access and Role Restriction Issues

With a few security features added to the FileMaker Server Admin Console in the last few versions, I decided to play around with them to see how they are implemented. In this article I want to highlight three of the issues I found last year (2023) and subsequently reported to Claris/Apple. TL;DR: Until version FileMaker Server version 21.0.1 you can bypass the IP restricions and until version 20.3.1 no administrator role privileges are respected on the server (every role can upgrade itself to all privileges). The latter issue remains only partially fixed. ...

October 9, 2024 · David Hamann

Exploring the fmp12 file format; or: what was my password again?

Introduction I had been planning for a while to dive deeper into the fmp12 file format to explore how data is organized and how accounts and passwords are stored. A few months ago, I finally found the time to do it. The first thing I noticed was just how little information publicly exists about the file format and especially about account and password storage. The only information on the latter was that “a one-way hash” is used for storing passwords and that there are some password reset tools that – according to forums – might work but would also “damage” your file, without any further clarification. ...

June 17, 2024 · David Hamann