Introduction

After a short pause, I am resuming publication of articles dedicated to the security of the FileMaker platform.

It is worth noting that recently we have joined forces with another security researcher, David Hamann: davidhamann.de

Last year, at the Vienna Calling conference, David and I showed this slide:

Since then, several more FileMaker-related vulnerabilities have been added to the CVE database:

CVE search results for FileMaker

At that time, David and I were the main contributors to improving FileMaker security. At this conference, we also presented two new issues that we had discovered.

Denial of Service in FileMaker Server

The first issue was the ability to perform a denial-of-service attack against any FileMaker Server by sending a specially crafted packet.

The trigger rate was 100%. The server stopped working until the administrator restarted the affected service. In the logs, only a short message appeared, without any useful indication of the real cause.

Predictable Session IDs

The second issue was even more dangerous.

We found that the session ID generated during a user connection was issued as a sequential number. An important detail of FileMaker Server is that the session ID is issued before the user is authorized. This is Phase 1 of the connection process, which I described earlier:

FMS, bypass authorisation

As a result, an attacker did not need to authenticate. By receiving a session ID during the first phase of the connection, the attacker could quickly enumerate nearby session IDs and find sessions that had been issued to other, already authorized users. This took only a few seconds.

This made it possible to use another user’s session ID and obtain the same access level that had been granted to that user, simply by connecting to the server. No authorization was required.

The only requirement was that at least one active client had to be connected to the server.

I plan to publish separate, more detailed articles about both of these vulnerabilities on this website.

Disclosure at Vienna Calling 2025

We presented these two issues at Vienna Calling 2025 and demonstrated them live.

Claris employees who were present at the conference urgently requested our technical expertise and help in fixing both vulnerabilities. This was especially time-sensitive because the next major release, FileMaker Server 2025 (22.0.1), was scheduled for release shortly afterward.

We quickly helped the company, and both vulnerabilities were fixed. The new FileMaker Server release shipped without these issues. Unfortunately, we did not receive any mention of our contribution in the release notes.

These cases also showed us that protecting the FileMaker platform requires more than fixing individual vulnerabilities one by one. We decided to take a more systematic approach: build a security layer that can help detect and block suspicious behavior before a specific vulnerability is publicly known or formally patched.

A More Systematic Approach

This led us to create a software product: FMProxy.

FMProxy helps protect the FileMaker platform not only from known vulnerabilities, but also by detecting non-standard packets and unusual communication patterns between FileMaker clients and FileMaker Server.

Another important security layer is the ability to use a trusted client list and block packets from untrusted users.

You can read more about FMProxy here:

FMProxy: Security Proxy for FileMaker Server

---