FileMaker - FMS, bypass authorisation
fm-security.com is an independent entity and this web site has not been authorized, sponsored, or otherwise affiliated with Claris International Inc. Claris and FileMaker are trademarks of Claris International Inc., registered in the U.S. and other countries. © 2024 fm-security.com. All rights reserved.
In the summer of 2023, I decided to investigate the internal communication protocol between FileMaker clients and the server. This led to the discovery of perhaps the most significant vulnerability in the platform’s history.
I discovered that it is possible to connect to any database hosted on any FileMaker Server with full administrator privileges without any authorization!
You don’t need to know the name of the database, or the user login or password. All you need is the IP address (or hostname) of the FileMaker Server.
Only knowing the IP, you can get full access with editing and deleting data to all databases, to all tables, to all records, to scripts, access settings, etc.
/cloudfront-us-east-2.images.arcpublishing.com/reuters/CD73V5ILVVPGDAAXUBSYQTNXDE.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/25654314/STK302_WORDPRESS_C.jpg)
