Script Folder Names are revealed to CWP users (2 Comments)

Issue report by Malcolm Fitzgerald

Product

FileMaker Server

Version

11.0.5.510

Operating system version

OS X 10.6.8

Description of the issue

Security

When calling getScriptNames via CWP the names of all script folders are revealed despite the fact that the user account accessing the database has script privileges set to "All No Access".

Steps to reproduce the problem

create a database with a user account privilege set that has scripts set to "All No Access" and extended privileges set to fmphp.

Write a php page which queries the database using that account and calls getScriptNames.

Expected result

I expect an error to be returned or an empty object.

Actual result

The names of all script folders are returned.

Script folders may contain information which is expected to be secure. There is no warning that I have seen that advices the developer that Folder names will be revealed to web users regardless of the security settings in user account privilege sets.

Databases which have been purchased from vendors will have signature folder names. If an exploitable weakness is discovered in the product the signature folder name may be used to identify the database for attack.

Workaround

Not use folders.