/*off topic: please in the list disable or add filter to your auto-reply*/ from:http://www.blueworld.com/blueworld/news/05.01.00-FM5_Sec urity.html (.../...) The precise details of how to exploit these holes is minimized to prevent compromising the integrity of all current Internet-accessible FileMaker Pro 5 databases and mail servers. However, details can be easily deduced by referencing the FileMaker Pro 5 documentation and by consulting the FileMaker XML Technology Overview white paper available via the FileMaker XML Central Web site. 1. Anyone on the Internet can view all data in a FileMaker Pro 5 Web accessible database regardless of Web Database Security preferences set to deny such access. With FileMaker Pro 5 it is possible to return data in XML format based upon a request submitted by anyone on the Internet. The XML publishing capabilities of the FileMaker Pro 5 Web Companion cannot be disabled separately from the Web Companion. The XML publishing capabilities bypass certain crucial aspects of FileMaker Pro 5 Web security allowing anyone on the Web to view any data within a FileMaker Pro 5 database. The hole allows anyone to view sensitive data contained within FileMaker Pro 5 databases such as credit card numbers, passwords, employee records, and trade secrets that are not intended for public access. 2. Anyone on the Internet can use the Web Companion's email capabilities to retrieve all data contained in any FileMaker Pro 5 Web Companion enabled database regardless of Web Database Security preferences set to deny such access. FileMaker Pro 5 Web Companion new email capabilities include the ability to specify that any field in a database be used as the format for the body of the email message. This new functionality can be accessed through a request submitted by anyone on the Internet. The new email capabilities can be used to bypass certain crucial aspects of FileMaker Pro 5 Web security allowing anyone on the Web to send the contents of any database field via email to themselves or a third party. The hole makes it possible to access and rapidly distribute across the Internet sensitive information stored in FileMaker Pro 5 databases not intended for viewing by the general public. 3. Anyone on the Internet can use Web Companion's email capabilities to send anonymous or impersonated email thereby compromising the integrity of any targeted mail server. The hole allows anyone to anonymously flood email accounts and mask or impersonate the true identity and source of the originating message making it virtually impossible to trace the origin of malicious activity. For example, anyone on the Web could access any organization's FileMaker Pro 5 powered Web site and submit a query that contains commands which instruct the Web Companion to send an email from the president of the organization instructing all employees not to show up to work. As the email would originate from the organization's own servers, it would be virtually impossible to trace the true location of the perpetrator. (.../...) solutions exist look at http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security .html