FileMaker

TL;DR Alex Dubov and I just released the first public version of FMProxy, a security proxy for FileMaker Server. We are currently looking for beta testers. Want to try it out? Get your copy for Ubuntu Server x86_64 or arm_64. Make sure to read the trial docs (pdf). Introduction and Research background In the last few years, Alex Dubov and I have independently been researching the security of the FileMaker platform. We both reported bugs directly to Claris and via the Apple Bug Bounty program. ...

A while back the FileMaker Server (FMS) installer for Ubuntu Linux started checking the currently installed web server versions and giving warnings and an interactive prompt (!) in case of outdated versions. This is rather annoying if you like to install/upgrade your FMS non-interactively. Using ansible, for example, your playbook would just hang and you would start wondering what’s going on. Let’s see what is actually happening, why it’s happening, and how to solve it. ...

With a few security features added to the FileMaker Server Admin Console in the last few versions, I decided to play around with them to see how they are implemented. In this article I want to highlight three of the issues I found last year (2023) and subsequently reported to Claris/Apple. TL;DR: Until version FileMaker Server version 21.0.1 you can bypass the IP restricions and until version 20.3.1 no administrator role privileges are respected on the server (every role can upgrade itself to all privileges). The latter issue remains only partially fixed. ...

Introduction I had been planning for a while to dive deeper into the fmp12 file format to explore how data is organized and how accounts and passwords are stored. A few months ago, I finally found the time to do it. The first thing I noticed was just how little information publicly exists about the file format and especially about account and password storage. The only information on the latter was that “a one-way hash” is used for storing passwords and that there are some password reset tools that – according to forums – might work but would also “damage” your file, without any further clarification. ...

A description of how FileMaker Server stores secrets and how to approach deciphering an unknown keystore.