securing XML w/PHP & .htaccess

2009

As distributable web applications become more popular, or the web becomes more distributable, however you want to describe it, it’s important to protect the data driving your app from malicious intent while keeping it flexible and external for the sanity of your colleagues/successors. I’m kind of surprised how insecurely this is often done, and equally surprised the insecurity isn’t more often taken advantage of. I guess those of us that know how to hijack the assets of some big corporation’s site for the purpose of parody are too busy or too sick of staring at an lcd at the end of the day to construct satirical social statements with time probably better spent emailing one’s senator or whatnot.

That being said, I had to figure out how to secure the XML of a flash widget recently; Below is a simple XML driven swf to illustrate the method.

DOWNLOAD SRC
The are a few ways you might need to go about it, depending on how many FlashVars you need to externalize. Say you typically write the path to your .xml to your swf via the FlashVars parameter or swfobject.

<script type="text/javascript" src="js/swfobject.js"></script>

<script type="text/javascript">
var so = new SWFObject("swf/randomScene.swf", "randomScene", "400", "300", "9", "#FFFFFF");
so.addParam("scale", "noscale");
so.addParam("menu", "false");
so.addVariable("randomSceneMenu", "randomSceneMenu.xml");
so.write("flashcontent");
</script>

In order to prevent a user from viewing that file directly, you can put an .htaccess file in the folder containing your .xml which refuses requests made from anywhere but the same server:

SetEnvIf Referer "^http://www\.ursart\.com" allowit
SetEnvIf Referer "^$" allowit
<Limit GET>
Order deny,allow
deny from all
allow from allowit
</Limit>

Anyone who attempts to view it via their browser will get a Forbidden message. I like added security by obscurity though, so I created a php file which echo’s the file contents of the hidden XML. Instead your FlashVars value is the path to this php file, and then as far as a user is concerned, your xml could live virtually anywhere.

<script type="text/javascript" src="js/swfobject.js"></script>
<script type="text/javascript">
var so = new SWFObject("swf/randomScene.swf", "randomScene", "400", "300", "9", "#FFFFFF");
so.addParam("scale", "noscale");
so.addParam("menu", "false");
so.addVariable("config", "php/randomScene_config.php");
so.write("flashcontent");
</script>

I used file_get_contents in the PHP to return the XML contents:

<?php
$content=file_get_contents("../hidden/menu.xml");
echo $content;
?>

Posted 27. March 2013 by admin
Tags: , , |

Leave a Reply

Required fields are marked *