securing AMFPHP
I regulary run into Flash applications when I perform a web application penetration test. One of the most widely used server frameworks for communicating with a Flash object is AMFPHP.
Unfortunately the default installation of AMFPHP is insecure. A system administrator or developer actively has to secure the installation, which is often forgotten.
There are some tips lying around the Internet how to secure an AMFPHP
installation. The summary:
In the root of your AMFPHP deployment,
- delete the DiscoveryService.php file
- Delete the browser folder and its contents
- Edit gateway.php and set the PRODUCTION_SERVER property to true
Of course it's at least as important to write secure code, harden your server and implement proper patch and maintenance procedures.
more ...