COMMAND
	FileMaker Pro remote password retrieval
SYSTEMS AFFECTED
	 Versions:   5.0, 5.5, 6.0.  All platforms.
	 verified on FileMaker Pro 5.0/Windows 2000,
	             FileMaker Pro 6.0/Windows 2000,
	             FileMaker Server 5.5/Linux.
PROBLEM
	Stephen White [swhite+fmbug(at)ox(dot)compsoc(dot)net] found following:
	Vulnerable organisations:  those  using  FileMaker  Pro  TCP/IP  network
	sharing (including FileMaker Server).
	Impact: Having obtained a list of passwords  for  a  given  database  an
	attacker could use  them  to  either  read  or  modify  the  potentially
	sensitive data contained in the database. If,  against  best  practises,
	the same  passwords  are  used  elsewhere  within  the  organisation  an
	attacker could use them as a basis for attacking other systems.
	It is already known that local users can obtain database passwords,  eg.
	software from http://www.lostpassword.com/filemaker.htm
	FileMaker Pro communicates with servers or multi user  databases  shared
	via TCP/IP using a proprietary network  protocol.  A  full  analysis  of
	this protocol is not possible due to it's  proprietary  nature,  however
	it appears that the  server  exploits  the  proprietary  nature  of  the
	protocol by trusting the client to carry out tasks  such  as  validating
	passwords. In the course of the network communication  the  server  will
	send the client the list of obscured passwords.  The  client  will  then
	prompt the user to enter a password, which is checked against this  list
	before continuing - a classic example of 'Security by Obscurity'.
SOLUTION
	FileMaker were  contacted  about  this  issue  on  the  March  8,  2003.
	FileMaker have stated that they intend to fix this issue for their  next
	release, they have not stated when this next release will  be.  They  do
	not appear to intend to produce an update or fix for current releases.
	Solutions:
	 * Disable 'multi user' or 'TCP/IP' access to FileMaker databases.
	 * If sharing via FileMaker networking (peer-to-peer or client/server) is
	   required ensure that FileMaker Pro hosts and servers are only accessible
	   to trusted intra-net systems through an appropriate Firewall setup.
	   External access could be arranged by using VPN or TCP tunnelling software.
	 * Share data using alternative means, such as web publishing with 'Web
	   Companion' or Lasso, or other middleware or 3rd party plug-ins.  I have not
	   tested these so am not in a position to provide specific recommendations
	 * Use alternative database software if these solutions do not address your
	   requirements.