Security

TL;DR Alex Dubov and I just released the first public version of FMProxy, a security proxy for FileMaker Server. We are currently looking for beta testers. Want to try it out? Get your copy for Ubuntu Server x86_64 or arm_64. Make sure to read the trial docs (pdf). Introduction and Research background In the last few years, Alex Dubov and I have independently been researching the security of the FileMaker platform. We both reported bugs directly to Claris and via the Apple Bug Bounty program. ...

With a few security features added to the FileMaker Server Admin Console in the last few versions, I decided to play around with them to see how they are implemented. In this article I want to highlight three of the issues I found last year (2023) and subsequently reported to Claris/Apple. TL;DR: Until version FileMaker Server version 21.0.1 you can bypass the IP restricions and until version 20.3.1 no administrator role privileges are respected on the server (every role can upgrade itself to all privileges). The latter issue remains only partially fixed. ...

Introduction I had been planning for a while to dive deeper into the fmp12 file format to explore how data is organized and how accounts and passwords are stored. A few months ago, I finally found the time to do it. The first thing I noticed was just how little information publicly exists about the file format and especially about account and password storage. The only information on the latter was that “a one-way hash” is used for storing passwords and that there are some password reset tools that – according to forums – might work but would also “damage” your file, without any further clarification. ...

The problem statement Let’s say you have a (Windows or Linux) EC2 instance in a private subnet and want to access it interactively. There are several ways to do this: You could use a bastion host in your public subnet, harden it and limit access to a certain IP range, and then tunnel your SSH or RDP (or any other TCP) traffic through this host using SSH. Alternatively, you could set up a VPN server through which to connect to your instance. ...

A description of how FileMaker Server stores secrets and how to approach deciphering an unknown keystore.