Jump to content

Recommended Posts

I've been having a problem with people intercepting the POST data to a php file, and I've been wondering how I can check just where data is coming from.

 

My situation is:

I'm loading a .php file from an .swf file (crossdomain stuff works fine, so the .swf can be anywhere), and I want to make it so only that swf file can run/get anything from the .php file on my server. Right now, I'm sending the location of the swf file to the php file, and checking a sha1 file checksum on the PHP file against a hard-coded value. The problem is people can just send the link to a proper swf file regardless of whether or not that's where they're loading the php file from.

 

I'm not even sure if that's possible to do, but any enlightenment would be nice.

Link to comment
https://forums.phpfreaks.com/topic/165944-people-forging-data/
Share on other sites

You can store a hashed "challenge" answer in the .swf file. This is not 100% guranteed, as it can probably be viewed in Notepad as raw text. But just pass that challenge question to the php script if it is right, then you accept the code, if not then you do not accept. But as stated it is not fool proof as either viewing the source of the swf and or sniffing the packets would yield what it should be.

 

But it is better than nothing.

Link to comment
https://forums.phpfreaks.com/topic/165944-people-forging-data/#findComment-875226
Share on other sites

Well, the reason I'm having problems is that people can simply decompile the .swf file.

They can just decompile my .swf, find the php and what data the Flash is sending, and modify it...

 

Currently, I have it set like this:

PHP file containing a hard-coded sha1 checksum of the real Container.swf (my public swf file).

Container.swf file that has the URL to the PHP file.

 

The Container.swf sends it's stage.loaderInfo.url property, which is the exact (and un-modifiable) url form where the swf file was loaded.

The PHP file calculates the sha1 checksum of the posted URL, if it is equal to the hardcoded value, it sends the key, if not, it exits.

 

The only flaw in this system is if they can decompile the Container they get the what and where.

The only way this system would be perfect is for the PHP file to be able to say:

"The file calling me is: "

 

That way, the user has no say in what's happening...

Link to comment
https://forums.phpfreaks.com/topic/165944-people-forging-data/#findComment-875233
Share on other sites

I do not think it is possible. As with header or header modifying programs anything can be "forged" or "spoofed".

 

It sounds like you setup measures, but unfortunately, flash is not very secure. I do not know of any other measures you can take. You can setup the "File calling me is" via headers I believe, but since they are headers that can also be spoofed, especially since it is cross-domain. If it was on your own server or the server where the script is set I am sure it could be done and secured.

Link to comment
https://forums.phpfreaks.com/topic/165944-people-forging-data/#findComment-875238
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.