Being familiar with blobs, php and PHPObject will help when reading thins.

I'm not 100% sure about what kind of tools can be used to map out your server,
but I'm sure it can be done.
This can be a problem for sensitive SWF files. The user can discover the
location and download the SWF file and decomple it. If that file contained
important info, it is now exposed, and they can abuse your site that much more.
Say for example you have an Admin SWF utility (which perhaps uses PHPObject,
thus it contains key and gateway info), you want to expose it to the Admins but
not leave the file available on the server for people to look at. There is a
way to do this.

Make a php login page, it will authenticate your admins. You can even apply a
maximum number of failed logins, you can also block that IP from the site all
together to prevent the user from attempting to login with other admin accounts
(depends on the security level you want).
Here is the important part - the php script will connect to your database to
authenticate the user, if they check out then get your script to retrieve a
blob object from your databse. This blob object is non other than the Admin
utility SWF! Then simply header out the file type and blob info.
The browser should display the SWF file alone in the window.
The Admin utility can also request the session and any other authenticating
variables to further ensure security.

Here is a generic blob table, and the script gets the Admin swf
<?php
$dbQuery = "SELECT blobType, blobData FROM blobs WHERE blobId = $blobId";
$result = mysql_query($dbQuery) or die("Couldn't get file list");

if(mysql_num_rows($result) == 1) {
$record = @mysql_fetch_row($result);
$fileType = $record[0];
$fileContent = $record[1];
header("Content-type: $fileType");
echo $fileContent;
} else {
echo "Record doesn't exist.";
}
?>

Since the SWF file was retrieved from a database, the chances of it being
found and downloaded from the server are 0!

I got the idea from looking at a tutorial on blobs and php from
http://www.devarticles.com
If you can find that article you should read it, it covers in detail how to
upload and store a file as a blob and then later display the file in the
browser.

And will this also prevent the returned SWF from being cached?

im looking foor security solutions too , specially for that cashing into
temporary internet files

i don't know jet.. but for example if u want to show some kind of picture in
swf then any way u do that picture will be cashed into temp internet folder.
maybe it is possible to stream that picture. that picture must be converted
into flv file - video with only one frame. and then sterea?m it into swf. but
i dont know yet m how much it helps.

This wont prevent someone from getting at it after it's been cashed. But the
idea is it will only be cashed on a computer by someone who has access to it in
the first place.
They can clear the temporary files if they are on a public computer.

Internet security isn't easy, and unfortunately there's not enough standards
to make it as good as it should be.

There is ALWAYS a way in (stealing sessions and what not) no matter how good
the security is. Besides they can always just take a gun to your head and make
you login... I'm not sure what category of hacking that falls into.

[quoted text, click to view]

Hmm - fair enough - depends on the competence of your end user then i
guess...

[quoted text, click to view]

Too true....

[quoted text, click to view]


Extreme hacking;-?

currently looking at this issue seriously. I think thats a fine way to protect
user authenticated swf files, but the problem exists that if a user has ANY
login then they can still access the swf and then start decoding from that
point.

The problem here is to enable the flash swf to protect itself by passing along
a secure argument to php from the server (so its never hardcoded but is
retrieved at load) and at that point we can return all the used php files in an
array so that no php filename is visible and they will all die() if the correct
code is not passed to them. i.e. the users will always get the code but they
will never get the engine running the back end data systems.

The unfortunate side to this argument is that I have just about run out of
ideas as how to get this code in which a hacker couldnt circumvent by building
dummy forms and attacking the initial php file remotely.

My solution is a combination of obfuscation (being sneaky) to create a really
hard to find code by creating it with imagination (any false code implies a
hacker so can automatically block ip and alert admin to be aware)

if anyone has any good ideas here i would love to hear about them.

One thing i am thinking of at the moment is to move the original URL via php
to an obscure area on the host, THEN use that url as the unique key. Not sure
if i am being stoopid here ?!?!?!

how about a server side flash cookie that only same domain swf can read? that
would be nice, until they figured out how to read it of course :(

i created an encryption scheme (in jsfl) for swf files that encryptes all
actionscript and would require extensive expertise and time to decrypt.

it is based on a modification of the t.e.a. encryption algorithm.

however, it requires the use of "key" file that must be kept secure and must
be accessible to the swf file (so, the actionscript can be decrypted and
execute) that the user has in their cache. and that i cannot figure out how to
accomplish.

does anyone know how a file (text or php or almost anything else that can
return 4 variable/values to a running swf) can be kept secure?

still testing this but it seems to be working and its ridiculously simple. Add
some simple code to your initial php file which references
$_SERVER['HTTP_REFERER'] which basically asks the question, "who sent this?"

by comparing what result you get from that header variable with your own swf
file you can decide to proceed or die(), if it comes from the flash on your web
server url, its valid and then you can send back whatever you want safely.

still playing with this and "RewriteRule" apache .htaccess settings (not going
well) so please tell me how you get on.

this dynamic actionscript encryption sounds interesting, does it actually
encrypt the swf, such that users grabbing the swf file from the cache will see
gobbledygook still?