May 11, 2000 18:00 GMT
PROBLEM: The field restriction "Don't show" may fail to prevent the exposure of the contents of data fields. PLATFORM: Only those platforms used to publish Filemaker 5 databases via the Web Companion. DAMAGE: Users may be able to gain unauthorized access to fields containing sensitive information. SOLUTION: Update Filemaker Pro 5 Web Companion as directed by the advisory.
VULNERABILITY Risk is MEDIUM. There has been discussion in public forums on ASSESSMENT: how to exploit the vulnerability.
The advisory below was captured on May 10, 2000 at the URL http://www.claris.com/support/updaters.html [ Start FileMaker, Inc. Advisory ] FileMaker Web Companion Update 5.0v4 May 9, 2000 FileMaker Web Companion Update 5.0v4 WorldWide English. Now available for download, FileMaker Pro 5 Web Companion 5.0v4 for FileMaker Pro 5, FileMaker Pro 5 Unlimited, and FileMaker Developer 5. The fix will be downloadable from www.filemaker.com/webcompanion. The security issue is of concern only to FileMaker users publishing FileMaker 5 databases via the Web Companion. We advise customers who are using the FileMaker Pro 5 Web Companion to publish FileMaker Pro 5 databases over the Web to install this update as soon as possible. The fix addresses a Field-Level Security issue when using the Web Security Database: Some technologies in the Web Companion may inappropriately expose field contents which the user thinks are protected by Field-Level Security. This version supercedes 5.0v1, 5.0v2, 5.0v3 of the Web Companion. Included with this update are: 1) Read Me 2) Web Companion 5.0v4 Select the platform version you wish to download: Mac | Windows [ End FileMaker, Inc. Advisory ]
CIAC wishes to acknowledge the contributions of FileMaker, Inc. for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
Voice: +1 925-422-8193 (7 x 24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: email@example.com World Wide Web: http://www.ciac.org/ http://ciac.llnl.gov (same machine -- either one will work) Anonymous FTP: ftp.ciac.org ciac.llnl.gov (same machine -- either one will work)