Home > AMFPHP, Flash Platform > Basics to securing AMFPHP

Basics to securing AMFPHP

June 26th, 2008
Goto comments Leave a comment

@ update Lee took this content and made it better

There are a lot of comments about how to secure amfphp. If you can do one thing and one thing only do the following.

1.) PLEASE remove the amfphp/browser/ folder from your project. This was designed as a debugging tool and has no access controls. Never place the browser on a production server.

2.) The more important file to remove rather than the browser directory is “f8v4/services/amfphp/services/amfphp/DiscoveryService.php” you can point any browser at a different gateway.php and it’ll bring up those services if the DiscoveryService.php is still there.  Its this file/service that tells the browser was services are available for calling.  For a complete kill of the browser you need to remove.

“f8v4/services/amfphp/services/amfphp/”  <– DiscoveryService.php in here.
“f8v4/services/amfphp/browser/”

3.) Change “public_html/f8v4/services/amfphp/gateway.php”
define(“PRODUCTION_SERVER”, false);
to
define(“PRODUCTION_SERVER”, true);

4.) You really need to run the application over SSL if you can. It really helps keep people from being able to see all the plain text data that you are sending to and from the server.

5.) Implement before filter and I will blog on this real soon.

This will at least make it so that you can not remotly inspect all fo the services that are avaialable. I will release an

AMFPHP, Flash Platform

  1. bobby
    June 26th, 2008 at 18:08 | #1
    Reply | Quote

    It’s simple but a very important advice for real life production.
    Thank you

  2. speed
    June 27th, 2008 at 04:36 | #2
    Reply | Quote

    Hallo Wade,

    Seems like you post is broken at the end.

    Nice to see you are active on amfphp just wondering if version 2.0 will come out anytime soon. And are you the only one who is working on amfphp the last 1 1/2 year+ ?

  3. Aron
    June 27th, 2008 at 06:15 | #3
    Reply | Quote

    Wade,

    Do you want me to write something here on the beforeFilter? We’ve implemented it quite successfully…

    -Aron

  4. wadearnold
    June 27th, 2008 at 12:43 | #4
    Reply | Quote

    – Aron
    That would be great!

    – Speed
    I took over in December 2007 and then jumped right into the Essential Guide to Open Source Flash book. So for the most part I have tried to get the documentation up to speed. For about the last two months I have been working on a PHP 5.3 implementation that is very cool!

  5. speed
    June 27th, 2008 at 15:36 | #5
    Reply | Quote

    Aloha Wade,

    Looking forward to the new version, hope someone finds time give you a helping hand. Good luck and thanks for the hard work.

  6. Joshua Ostrom
    July 1st, 2008 at 23:54 | #6
    Reply | Quote

    Wade,
    I posted on a simple approach to using the beforeFilter

    Two lines of code…

    public function beforeFilter($function_called)
    {
    $memberName = $function_called.”Roles”;
    return (@$this->$memberName) ? Authenticate::isUserInRole($this->$memberName) : true;
    }

    Anxious to see what approach an ‘insider’ like yourself is taking :)

  7. Chris Charlton
    July 17th, 2008 at 16:22 | #7
    Reply | Quote

    Wade – I can help. I’m on the AMFPHP list, but I know the docs and writing stuff can take time and I’m willing to toss in a couple hours to get something rolling or ironed out.

  8. passingby
    August 8th, 2008 at 17:31 | #8
    Reply | Quote

    why do you need to use SSL to secure this?

    i guess what i mean is if you were calling a php script directly you would get back all of the data output by the script (e.g. the output isn’t hidden). the only difference is that when using AMFPHP, the output data is encapsulated in AMF format.

    so what *specific* data are we hiding in the returned output via the SSL? for a basic mysql select, i wouldn’t think any id / passwords are being sent.

    thanks

  9. Figo
    January 24th, 2009 at 12:09 | #9
    Reply | Quote

    These are great tips. Thank you.

    How about altering the simple stuff as well?

    Wouldn’t renaming the ‘amfphp’ folder as well as ‘gateway.php’ provide just a little bit more peace of mind?

    Only your Flash/Flex/AIR app needs to know where the gateway is and what it’s called. For example, you could give “amfphp/gateway.php” path an arbitrary name like “_magikk/nu79fi6Lc5z8PsWsEfCKl3PjvZSwxZFN.php”

    Works for me without any hassles

  10. Razvan
    February 18th, 2009 at 10:36 | #10
    Reply | Quote

    @Figo
    Uhm.. i think it doesn`t matter the name of the files.. the swf sources can be decompiled. :-? ? I`m looking for better securing tips.

  11. CJ
    June 5th, 2009 at 11:53 | #11
    Reply | Quote

    I have been testing in the Flash IDE which accesses my gateway.php file over the internet. I would now like to turn off all remote access to gateway.php so that only server located swfs can access the gateway. I assumed that setting PRODUCTION_SERVER to true in gateway.php would accomplish this. After doing this I can still access the gateway.php from the flash IDE which isn’t supposed to be allowed with this flag set to true. Any help would be greatly appreciated.

    Thanks

  12. Janes
    October 20th, 2009 at 22:07 | #12
    Reply | Quote

    CJ, I suppose you have already worked out? To say, it is hard to hide since the Flash application itself is located on a client machine, you can however, get PHP to remotely detect before it generate a unique session id on clients computer.

  1. August 5th, 2008 at 22:33 | #1
    The Flash Blog » AMFPHP Security Basics
  2. January 29th, 2009 at 10:31 | #2
    Edwin C. Cheung Blog » Blog Archive » AMFPHP 1.9 Beta
  3. March 16th, 2009 at 15:22 | #3
    AMFPHP – The Flash Remoting Gateway « SilenceIT