ssjskipp Posted July 14, 2009 Share Posted July 14, 2009 I've been having a problem with people intercepting the POST data to a php file, and I've been wondering how I can check just where data is coming from. My situation is: I'm loading a .php file from an .swf file (crossdomain stuff works fine, so the .swf can be anywhere), and I want to make it so only that swf file can run/get anything from the .php file on my server. Right now, I'm sending the location of the swf file to the php file, and checking a sha1 file checksum on the PHP file against a hard-coded value. The problem is people can just send the link to a proper swf file regardless of whether or not that's where they're loading the php file from. I'm not even sure if that's possible to do, but any enlightenment would be nice. Quote Link to comment https://forums.phpfreaks.com/topic/165944-people-forging-data/ Share on other sites More sharing options...
premiso Posted July 14, 2009 Share Posted July 14, 2009 You can store a hashed "challenge" answer in the .swf file. This is not 100% guranteed, as it can probably be viewed in Notepad as raw text. But just pass that challenge question to the php script if it is right, then you accept the code, if not then you do not accept. But as stated it is not fool proof as either viewing the source of the swf and or sniffing the packets would yield what it should be. But it is better than nothing. Quote Link to comment https://forums.phpfreaks.com/topic/165944-people-forging-data/#findComment-875226 Share on other sites More sharing options...
ssjskipp Posted July 14, 2009 Author Share Posted July 14, 2009 Well, the reason I'm having problems is that people can simply decompile the .swf file. They can just decompile my .swf, find the php and what data the Flash is sending, and modify it... Currently, I have it set like this: PHP file containing a hard-coded sha1 checksum of the real Container.swf (my public swf file). Container.swf file that has the URL to the PHP file. The Container.swf sends it's stage.loaderInfo.url property, which is the exact (and un-modifiable) url form where the swf file was loaded. The PHP file calculates the sha1 checksum of the posted URL, if it is equal to the hardcoded value, it sends the key, if not, it exits. The only flaw in this system is if they can decompile the Container they get the what and where. The only way this system would be perfect is for the PHP file to be able to say: "The file calling me is: " That way, the user has no say in what's happening... Quote Link to comment https://forums.phpfreaks.com/topic/165944-people-forging-data/#findComment-875233 Share on other sites More sharing options...
premiso Posted July 14, 2009 Share Posted July 14, 2009 I do not think it is possible. As with header or header modifying programs anything can be "forged" or "spoofed". It sounds like you setup measures, but unfortunately, flash is not very secure. I do not know of any other measures you can take. You can setup the "File calling me is" via headers I believe, but since they are headers that can also be spoofed, especially since it is cross-domain. If it was on your own server or the server where the script is set I am sure it could be done and secured. Quote Link to comment https://forums.phpfreaks.com/topic/165944-people-forging-data/#findComment-875238 Share on other sites More sharing options...
ssjskipp Posted July 14, 2009 Author Share Posted July 14, 2009 If it were locked down to my server, there's tons of things I could do to secure it, mostly by preventing download and whatnot, but sadly that's not the case. Well, thank you for your help... Quote Link to comment https://forums.phpfreaks.com/topic/165944-people-forging-data/#findComment-875254 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.