Minor FileMaker Security Breakdown


Note: 2012-07-14 I just tested this security ‘workaround’ in FileMaker 12 and it continues to exist.

Open a File

media_1277146386894.png

The Admin user launches a file.

Using Admin level access

media_1277146415849.png

The Admin user is set to [Full Access] privileges. Full Access means that the user can add/edit/delete any of the fields, scripts, layouts, users, privilege sets and relationships within the database.

Manage Security

media_1277146098833.png

Under the file menu, the Admin user can access the Security privilege sets and user accounts.

Manage Security screen

media_1277146213601.png

We can see there is an account for a Low Level user, coincidentally named ‘Low Level’. If the admin user now makes any changes in this dialog box, to the Accounts list, or reassigns user Privilege Sets, in order to exit this screen and save their changes, they are prompted for their admin level password.

Confirm Full Access Login

media_1277146314805.png

At this point, the Admin user would enter his/her name and password and the changes would be saved. This is all good and how one might expect things to work.

The Security Risk

media_1277146323759.png

Presumably this previous prompt for a password is designed to prevent an instance where the Admin user has gone for coffee, leaving his/her machine unlocked and a nefarious user comes along and attempts to change their privilege set to escalate their privileges. You would think that they shouldn’t be able to do this.

Well guess what? They can.

In this instance, Low Level comes along and escalates his privilege set to Full Access. He clicks OK and then OK again to leave the Security dialog box.

Here is the security breakdown

media_1277146335040.png

Instead of allowing the newly escalated Low Level fellow to confirm the changes, shouldn’t the original Admin login be required? That is not how this works, Low Level has upgraded their privilege set AND confirmed this change themselves.

This seems like a flaw in an otherwise fairly secure system.

Of course you might argue that Admin should never have gone for coffee in the first place, but isn’t security design supposed to take into human fallibility? Why bother prompting for the password in the first place, if you are going to accept any users password?

I am just sayin’…

Related Articles:
Submitting FileMaker Runtimes to the Mac App Store
‘FileMaker Go for the iPhone’ – a First Look
Blast from the Past: FileMaker DevCon 1998 Report

Advertisements

Comments are closed.

%d bloggers like this: