Basics to securing AMFPHP July 17, 2010Posted by Tournas Dimitrios in Flash.
There are a lot of comments about how to secure amfphp. If you can do one thing and one thing only do the following.
- PLEASE remove the amfphp/browser/ folder from your project. This was designed as a debugging tool and has no access controls. Never place the browser on a production server.
- The more important file to remove rather than the browser directory is “f8v4/services/amfphp/services/amfphp/DiscoveryService.php” you can point any browser at a different gateway.php and it’ll bring up those services if the DiscoveryService.php is still there. Its this file/service that tells the browser was services are available for calling. For a complete kill of the browser you need to remove.
“f8v4/services/amfphp/services/amfphp/” <– DiscoveryService.php in here.
- Change “public_html/f8v4/services/amfphp/gateway.php”
- You really need to run the application over SSL if you can. It really helps keep people from being able to see all the plain text data that you are sending to and from the server.
- Implement beforeFilter
This will at least make it so that you can not remotly inspect all fo the services that are avaialable. I will release an