jump to navigation

Basics to securing AMFPHP July 17, 2010

Posted by Tournas Dimitrios in Flash.

There are a lot of comments about how to secure amfphp. If you can do one thing and one thing only do the following.

  • PLEASE remove the amfphp/browser/ folder from your project. This was designed as a debugging tool and has no access controls. Never place the browser on a production server.
  • The more important file to remove rather than the browser directory is “f8v4/services/amfphp/services/amfphp/DiscoveryService.php” you can point any browser at a different gateway.php and it’ll bring up those services if the DiscoveryService.php is still there.  Its this file/service that tells the browser was services are available for calling.  For a complete kill of the browser you need to remove.

“f8v4/services/amfphp/services/amfphp/”  <– DiscoveryService.php in here.

  • Change “public_html/f8v4/services/amfphp/gateway.php”

define(“PRODUCTION_SERVER”, false);
define(“PRODUCTION_SERVER”, true);

  • You really need to run the application over SSL if you can. It really helps keep people from being able to see all the plain text data that you are sending to and from the server.

This will at least make it so that you can not remotly inspect all fo the services that are avaialable. I will release an


No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s