Injecting Accounts into fmp12 files via FMUpgradeTool v26

Claris has extended the FMUpgradeTool in the recent release, providing support for adding/replacing/deleting more object types, and also added the ability to generate completely new fmp12 files. Next to the new features, there have also been some undocumented breaking changes, though. I used the FMUpgradeTool in version 22.0.2 to inject accounts into fmp12 files as part of a deployment process. In short: a file is distributed to several servers, and while an update routine is running, the file should get site-specific accounts added, using passwords that are available only during runtime of the deployment process (and thus obviously not during distribution of the file). ...

June 29, 2026 · David Hamann

CVE-2021-44147: XML External Entity Vulnerability in Claris FileMaker

A couple of months ago I looked more deeply into the “Import Records” functionality in FileMaker, especially the XML parsing, and was wondering if any XXE vulnerability may exist and how one could exploit this in technically interesting ways. The vulnerability is/was indeed there and can lead to local file disclosure and server side request forgery in various components of the FileMaker platform. The following is a description of the vulnerability including potential exploitation paths. ...

November 18, 2021 · David Hamann