Uncovering Access and Role Restriction Vulnerabilities in the FileMaker Server Admin Console Source: https://davidhamann.de/2024/10/09/fms-bypassing-restrictions/ With a few security features added to the FileMaker Server Admin Console in the last few versions, I decided to play around with them to see how they are implemented. In this article I want to highlight three of the issues
CVE macOS, Windows, Ubuntu FileMaker Server CVE-2024-23202 Source: https://fm-security.com/posts/priv_esc/ I have identified a privilege escalation vulnerability in FileMaker Server for all platforms (macOS, Windows, Ubuntu) This vulnerability allows an attacker, that has the most limited access to a remote database, hosted on FileMaker Server, to get full access privileges, with access to all data from all tables
Bypass authorization of FileMaker Server or “there is no such category” Source: https://fm-security.com/posts/bypass_auth/ CVE FileMaker Server CVE-2024-27790 Menu Introduction In the summer of 2023, I decided to investigate the internal communication protocol between FileMaker clients and the server. This led to the discovery of perhaps the most significant vulnerability in the platform’s history. I discovered that it
Understanding the Risks and Mitigations of dylib Hijacking in macOS FileMaker Pro CVE-2023-42920 Source: https://fm-security.com/posts/dylib/ CVE macOS FileMaker Pro CVE-2023-42920 Menu Introduction The dylib hijacking vulnerability for macOS is well known and studied. But from a FileMaker developer’s point of view, I have not seen any analysis of this problem. I will begin a little bit from afar. Embedding into someone else’s
Decoding the fmp12 File Format: A Deep Dive into Passwords and Account Security Source: https://davidhamann.de/2024/06/17/how-does-filemaker-store-passwords/ Introduction On This Page I had been planning for a while to dive deeper into the fmp12 file format to explore how data is organized and how accounts and passwords are stored. A few months ago, I finally found the
Unlocking the Secrets of the FileMaker Server Keystore: A Cryptographic Exploration Source: https://davidhamann.de/2023/05/29/deciphering-the-filemaker-keystore/ Introduction On This Page While checking out how the FileMaker Pro to Server upload feature worked, I noticed that credentials were encrypted using a RSA public key before being sent to the server. I looked into FileMaker Server’s installation directory and found that
Uncovering XXE Vulnerabilities in FileMaker’s XML Parsing Source: https://davidhamann.de/2021/11/18/filemaker-xxe-vulnerability/ CVE FileMaker Pro CVE-2021-44147 A couple of months ago I looked more deeply into the “Import Records” functionality in FileMaker, especially the XML parsing, and was wondering if any XXE vulnerability may exist and how one could exploit this in technically interesting ways. The vulnerability is/was indeed there
Troubleshooting FileMaker Database Encryption Issues Source: https://davidhamann.de/2018/08/19/fix-error-853-when-encrypting-filemaker-databases/ Have you ever gotten the following error after trying to encrypt your FileMaker databases? Error 853 refers to One or more containers failed to transfer in the error code listing and herein usually lies the problem. When you encrypt your database, make sure to place the existing external container data into the