tags:

views:

38

answers:

1
Q: 

Union Platform: Securing admin password

With the Union Platform, the administrator password is stored in an XML file. I know I could just rename the file and tell the swf to read it from that new location, but if someone were to decompile it, not only would they get the source like normal but they would then be granted administrator access. I know I could try changing the admin SWF file name or the port that the Union server is running on, but this is a really insecure method.

Since the admin swf is a free download on their site, anyone with access to the internet could hack my program if they found my XML file.

Since the Union platform is probably a bit obscure, here is the website.

I would just password protect the directory the xml file is in, but that would not do too much good as flash files do not know how to enter passwords.

+1  A: 

The config XML file you're talking about doesn't go anywhere near your web contents. It goes in the UNION_HOME folder, which is wherever you unpack the app for installation. See this page for more info.

Thus, SWFs don't access that config file to check passwords. SWFs connect to the server with a socket connection, and the server app knows how to check the XML file. There's no security issue.

fenomas  2009-06-21 08:36:22
My problem here though is that since I am not deploying the server locally, I must upload everything via FTP to the web server. How can I protect the XML file then?
Cyclone  2009-06-21 14:17:54
When you FTP to the web server, the root folder you enter should not be the root of the web content. You should have access to some folder that is not available from the web; you should put Union there. (Even if you absolutely had to put the install in a web-viewable folder, you could simply password-protect it - as I said, the client flash does not try to access that XML file. But you shouldn't install into the web hierarchy.)
fenomas  2009-06-22 03:17:14

related questions

Centos or Debian as a server OS ?
Where can I find a FTP Server with an API?
Technical issues when switching to an unmanaged Virtual Private Server (VPS) hosting provider?
Should I use a dedicated network channel between the database and the application server?
Do I need to leave gaps in a standard server rack?
Monitoring CPU Core Usage on Terminal Servers
Which hardware to buy for a new Linux server system?
Website Hardware Scaling
Ajax polling.
I ALMOST understand how email works, but I'm missing something.
How do you minimize the number of threads used in a tcp server application?
Perfmon File Analysis Tools
Cleanest & Fastest server setup for Django
Is there some way to PUSH data from web server to browser?
How do I secure my new web server (Server 2008)?
Subversion Management Tools
What kind of servers did you virtualize lately?
Closet server versus Colo?
Personal Linux web server
Error ADMA5026E for WebSphere Application Server Network Deployment
What means the error SECJ0222E in WebSphere Application Server 5.1
What is called a Node in a WebSpere Network Deployment
Can someone give me a working example of a build.xml for an EAR that deploys in WebSphere 6
Asynchronous multi-direction server-client communication over the same open socket?
Best way to access Exchange using PHP?