Malformed Script calls leak data from CWP enabled databases

Issue report by Malcolm Fitzgerald

Product

FileMaker Server

Version

11.0.5.510

Operating system version

OS X 10.6.8

Description of the issue

newPerformScriptCommand($layout, $script, $parameter) can be called with a layout name only and it will return a record from the database.

newPerformScriptCommand($layout, $script, $parameter) can be called with a layout name only and and a Folder name in place of a script name and it will return a record from the database.

Steps to reproduce the problem

with a CWP enabled database make a call to newPerformScriptCommand, provide any layout and leave the script name empty.

In the test I performed I was using a Guest account. No user name or password.
In the database I had modified the [Guest] account to use a custom privilege set. The privilege set was set to Scripts: All No Access. In this setup no script should be able to be run.

Expected result

The function should return an error because a required parameter is missing.

Actual result

The database will return a record

Exact text of any error message(s) that appear

on error message