Published:2007/11/21  Last Updated:2008/05/21

JVN#55833292
FileMaker cross-site scripting vulnerability

Overview

FileMaker from FileMaker, Inc. contains a cross-site scripting vulnerability.

Products Affected

  • FileMaker Pro 7 (for Windows and Mac)
  • FileMaker Developer 7 (for Windows and Mac)
  • FileMaker Server 7 Advanced (for Windows and Mac)
  • FileMaker Pro 8.x (for Windows and Mac)
  • FileMaker Pro 8.x Advanced (for Windows and Mac)
  • FileMaker Server 8.x (for Windows and Mac)
  • FileMaker Server 8.x Advanced (for Windows and Mac)
The FileMaker 9 product line is not affected by this vulnerability.

Description

FileMaker is database software from FileMaker, Inc.
FileMaker contains a cross-site scripting vulnerability in its "Instant Web Publishing" function that enables users to publish database contents on the web.

Impact

An attacker could execute an arbitrary script on the web browser of a user who views the contents published using the "Instant Web Publishing" function.

Solution

Upgrade the Software
FileMaker, Inc. has not released any updates or patches for FileMaker 7.x and 8.x.
However the vendor released the FileMaker 9 product line in September 2007. Users are encouraged to upgrade to the FileMaker 9 product line that is not affected by this vulnerability.

Workarounds
The users who are not to upgrade to the FileMaker 9 product line should apply the following workaround to mitigate this vulnerability.

  • Do not use "Instant Web Publishing" function

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2007.11.21

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication None - anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Medium
Exploit Complexity Low - little to no expertise and/or luck required to exploit (cross-site scripting)
  • High

Description of each analysis measures

Credit

Emic Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia JVNDB-2007-000807

Update History