Posts in Category "security"

Security Bulletin

Security Bulletin for Flash Media Server:
APSB09-05 – Updates available to address Flash Media Server privilege escalation issue
http://www.adobe.com/support/security/bulletins/apsb09-05.html
Release date: April 30, 2009

Overview of the Flash Player February 2009 Security Update
http://www.adobe.com/devnet/flashplayer/articles/flash_player10.0.22_security_update.html

Update to Flex 3 to address potential cross-site scripting vulnerability
http://www.adobe.com/support/security/bulletins/apsb08-14.html
Release date: June 17, 2008

How to access flex app over https but connect to backend using http

Many application needs to be accessed over secure connection, but only need to connect to the backend using non-secure connection, or vice versa. How do we accomplish that?

Secure connections can talk to secure and non-secure endpoints. Non-secure connections can only talk to non-secure endpoints. So you will need to configure your channel differently.

1. If the app is requested over https and then use http to connect to backend:

<channel-definition id=”my-amf-secure” class=”mx.messaging.channels.SecureAMFChannel“>
<endpoint uri=”https://{server.name}:{server.port}{context.root}/flex2gateway/” class=”flex.messaging.endpoints.AMFEndpoint “/>
<properties>
<add-no-cache-headers>false</add-no-cache-headers>
</properties>
</channel-definition>

2. If the flex app is requested over http, then using https to connect backend:
<channel-definition id=”my-amf” class=”mx.messaging.channels.SecureAMFChannel“>
<endpoint uri=”https://{server.name}:{server.port}{context.root}/flex2gateway/” class=”flex.messaging.endpoints.SecureAMFEndpoint“/>
<properties>
<add-no-cache-headers>false</add-no-cache-headers>
</properties>
</channel-definition>

3. For LCDS 2.5 and 2.5.1, the configuration would be enough.
For FDS 201, you need to apply the hotfix build 168076 as well. You can get the build 168076 from flex Tech support.

Flex app works with FireFox but not with IE when using SSL

There are multiple uses run into the issue about the same flex app works fine with FireFox, but doesn’t work with IE. So what is the difference between FireFox and IE browser when SSL is involved? Here is a list of the cause of the problem and how to resolve it:

Note:If the first request fails but refresh works, then you need to enable an IE option “Do not save encrypted pages to disc”, make sure it is selected.

1. By default the IE header is set to no-cache.
This may cause problem when your flex app is using SSL. You can change the header setting as descript in this TechNote . That will keep the data on client long enough to have the player read it.
To change the header, follow the steps here to change the setting at html level or web server level.

You also need to double check in the channel-definition in services-config.xml (see this TechNote) :

<channel-definition id=”my-secure-amf” class=”mx.messaging.channels.SecureAMFChannel”>
<endpoint uri=”https://{server.name}:{server.port}{context.root}/flex2gateway/” class=”flex.messaging.endpoints.SecureAMFEndpoint”/>
<properties>
<add-no-cache-headers>false</add-no-cache-headers>
</properties>
</channel-definition>

2. self-certificate configuration
If you are using a self-certificate, or an invalid certificate, then you will not be able to access https from IE, but it works on Firefox. An easy test can explain the problem. For example, if you are using Coldfusion gateway as following: https://localhost:8700/cfusion/flex2gateway/
if you browse that URL from Firefox, it will return a blank page, without a security popup. A blank page means that gateway is working correctly.
if you access that URL from IE, you will get a security popup dialog, once you selected “yes”, then IE will return a blank page. As you can see IE is intercepting
the request. Therefore flex can’t get to it automatically. However, after you selected “yes” which means your IE browser accepted the url as trusted address, then your flex app will work fine. So it maybe okay for internal testing by manually accept the URL, but you need to have a valid certificate for your production.

3. IE limits connections per server. See the following links:

http://support.microsoft.com/kb/183110/

http://blogs.msdn.com/ie/archive/2005/04/11/407189.aspx

To avoid the problem, you can do it from client side or server side.
If you can control the client machine, then you can follow the suggestion in http://support.Microsoft.com/kb/183110/ to increase the limit.
If you can’t do that, you can change endpoint to make IE think it is from different URL.
Two approach:
a). use the concept descript in this Blog

http://weblogs.macromedia.com/pent/archives/2005/02/operating_in_pa.cfm

and set the endpoint in your data services like this:
<mx:RemoteObject
id=”myService”
endpoint=https://www.my.com:8700/cfusion/flex2gateway/?foo=1
destination=”ColdFusion”
source=”HelloWorld”>
….

<mx:RemoteObject
id=”myService”
endpoint=https://www.my.com:8700/cfusion/flex2gateway/?foo=2
destination=”ColdFusion”
source=”HelloWorld”>
…..

b). configure in IIS to have www1.my.com and www2.my.com, and set endpoint to
endpoint=http://www1.my.com:8700/cfusion/flex2gateway/
endpoint=http://www2.my.com:8700/cfusion/flex2gateway/

4. Another cause can be a proxy server is in use. Even if you have Keep Alive set to true in IE, you can still get one-connection-per-file. The following is from an article about this topic, which inculdes how to check the proxy server.:

Keepin Alive

In most cases, Internet Explorer uses the Keep-Alive option in HTTP 1.1 so that it can reuse a connection to fetch several files. This takes advantage of a connection that has already been warmed up, saving all the connection startup overhead.

However, there is one common situation where IE is very conservative and does not use Keep-Alive; that is when a proxy server is in use. In those cases it drops back to the old one-connection-per-file mode, which can kill performance. That rule may have made sense 10 years ago when IE was new and proxy servers were flakey, but any proxy worth using today should handle Keep-Alive with no problems.

Do you know if your connection is using a proxy server? You may be surprised to find out that you are. Some security software uses proxies to filter Web pages, for example. To see if your connection is using a proxy, start IE and click Tools, Internet Options, Connections. Click the LAN Settings button and see if the Use A Proxy Server box is checked.

Here is how to check your HTTP 1.1 settings: In IE, click Tools, Internet Options, and the Advanced tab. Scroll down to Connection and make sure that both of these boxes are checked: Use HTTP 1.1 and Use HTTP 1.1 Through Proxy Servers.

http://www.pctoday.com/editorial/article.asp?article=articles/2006/t0409/26t09/26t09.asp&guid=

To access a data service over HTTPS from a Flex application that is served over HTTP

When accessing a data service over HTTPS from a Flex application that is served over HTTP, there are extra configuration steps you need take. Please see flex doc for details.

However, sometimes one may still have problems making this work after following the doc. Here I will explain a little more about each step to show the common mistakes, and the cause of some common error messages.

Configuration:
1. you must set the protocol property of the <mx:RemoteObject> tag, <mx:HTTPService> tag, or <mx:WebService> tag to https.
a). This means you have to set protocol=”https” in your data service tag if you are using the flex proxy.
b). However, if you are not using flex proxy, then do not set protocol=”https” in your tag. Flex will throw an error if you set it in the tag.
c). To verify if you are using flex proxy or not, check the <proxy-use-policy> setting in your flex-config.xml. The data service is not going through the proxy when either the useProxy property in the <mx:HTTPService> or <mx:WebService> tag is set to false or the <proxy-use-policy> tag in the <http-service-proxy> tag or <web-service-proxy> tag in the flex-config.xml file is set to never

2. Set the HTTPS URL in flex-config.xml:
a). For remote object services, you must set the <amf-https-gateway> tag in the <remote-objects> tag of the flex-config.xml file to the absolute HTTPS URL of the AMF gateway.
b). For HTTP services and web services, you must set the <https-url> tag in the <http-service-proxy> tag or <web-service-proxy> tag to the absolute HTTPS URL of the Flex proxy.

3. Put crossdomain.xml under the web root / :
<cross-domain-policy>
<allow-access-from domain=”*” secure=”false” />
</cross-domain-policy>
a). You need to set secure=”false” in the crossdomain.xml.
b). It is very important to put the crossdomain.xml file in the right location.
— When using flex proxy, it must be in the web root of the server that the Flex application is contacting. For example, if you are using IIS, then it should be under your inetpub/wwwroot.
— when not using flex proxy, the crossdomain.xml file must be on the endpoint server. For example, under your flex web app root.

Common Error messages and How to avoid them:
1. HTTPService Fault: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpathSunertPathBuilderException: unable to find valid certification path to requested target.

This means you are using a self-signed certificate for your HTTPS. You need to set
<allow-lax-ssl>true</allow-lax-ssl> in the flex-config.xml.

2. HTTPService Fault: java.lang.RuntimeException: Invalid URL – can not access HTTPS URLs when accessing proxy via HTTP

This means you are using the flex proxy, but you didn’t set “protocol=”https”

3. HTTPService Fault: Can’t retrieve data

This means the crossdomain.xml is not setup correctly. See step 3 above.