Deciphering the FileMaker Server keystore

A description of how FileMaker Server stores secrets and how to approach deciphering an unknown keystore.

May 29, 2023 · David Hamann

Uploading files to FileMaker Server without a Pro client

Back in the dark ages the FileMaker Server admin console (then Java Web Start) allowed you to remotely upload new fmp12 files to the server. For some reason this feature did not survive the admin console rewrite a decade (?) ago. Rather, the upload feature was integrated into the Pro client. Later, as the Admin REST API was released, the upload feature was still missing. The only two options to upload fmp12 files to the server are thus: ...

March 16, 2023 · David Hamann

Monitoring FileMaker scheduled scripts

In this tutorial I want to describe how you can setup immediate notifications whenever your scheduled FileMaker scripts stop running – for example due to a crashed FileMaker scripting engine, an error in your script or just general server downtime. I will be using allgood.systems, a monitoring platform I recently built. Creating a new Job Monitor Once you have registered on allgood.systems you can navigate to the “Job Monitors” tab to create a new monitor for the FileMaker script you would like to get notifications for. ...

August 12, 2022 · David Hamann

Remote debugging Claris Data API

When debugging code that integrates with the Claris FileMaker Data API, it is sometimes helpful to trace a request from your app all the way to the code of the Data API. You might be getting an unexpected error response, want to see what data actually arrives on the server, how a wrapper library, if you use any, might translate the request/response, etc. Doing this kind of troubleshooting is much easier when you are able to directly attach a debugger to the remote process. This blog post describes a few steps you can take to remotely debug Data API requests. ...

May 4, 2022 · David Hamann

CVE-2021-44147: XML External Entity Vulnerability in Claris FileMaker

A couple of months ago I looked more deeply into the “Import Records” functionality in FileMaker, especially the XML parsing, and was wondering if any XXE vulnerability may exist and how one could exploit this in technically interesting ways. The vulnerability is/was indeed there and can lead to local file disclosure and server side request forgery in various components of the FileMaker platform. The following is a description of the vulnerability including potential exploitation paths. ...

November 18, 2021 · David Hamann