Skip navigation
rajdeeprath
rajdeeprath
Currently Being Moderated

FMS administration api security

Nov 19, 2010 12:00 AM

hi

 

I bet this question has been posted earlier also , but i couldnt find it googling. The method used in FMS admin administration reference to access the admin api is like so:

 

http://www.example.com:1111/admin/getLiveStreamStats?auser=username&ap swd=password

&appInst=name&stream=name 

 

but isn't this unsafe ? i mean any one can see the password this way ??

1505 Views   15 Replies   Latest reply: JayCharles, Nov 22, 2010 5:45 AM
 
Replies
  • JayCharles
    Currently Being Moderated
    1. JayCharles,
    Nov 19, 2010 4:12 AM   in reply to rajdeeprath
    Report

    That's why we don't expose admin service requests to the public. Do it from the server side.

     
    |
    Mark as:
  • mamata_karna
    Currently Being Moderated
    2. mamata_karna,
    Nov 19, 2010 4:24 AM   in reply to rajdeeprath
    Report

    Few ways to get over this would be to use Server.xml configurations on FMS to allow admin requests only from a trusted domain or a client (IP address) and disallow any other connect requests.

    And using rtmpe to connect to admin server would also be safe since its encrypted.

     

     

    Regards

    Mamata

     
    |
    Mark as:
  • JayCharles
    Currently Being Moderated
    3. JayCharles,
    Nov 19, 2010 6:21 AM   in reply to mamata_karna
    Report

    I think the OP was wondering about exposing the username and password on the client side. If the question was actually about man-in-the-middle attacks sniffing out the credentials when making a server to server request, please correct me.

     

    Regardless of the method being used to make the request of the admin service, never expose the admin service credentials to a client side application, unless that application is only accessible to authorized users who should have access to the FMS admin service. If you provide those credentials (via hard code or via service request) to a client side application that is accessible to the public or otherwise unauthorized admin service users, you immediately compromise your server security.

     
    |
    Mark as:
  • rajdeeprath
    Currently Being Moderated
    4. rajdeeprath,
    Nov 19, 2010 6:51 AM   in reply to JayCharles
    Report

    "wondering about exposing the username and password on the client side" - This is what i meant. You see its very easy to use firebug in mozilla firefox to fish out http requests. And then you can clearly see admin username and password in the get request.

     
    |
    Mark as:
  • JayCharles
    Currently Being Moderated
    5. JayCharles,
    Nov 19, 2010 6:54 AM   in reply to rajdeeprath
    Report

    That's what i thought you meant.

     

    The answer here is, don't do it. If you need to have data from the admin service provided to your client side application, use a server side application (php, asp, .net, etc) to make the request of the FMS admin service, and then pass only the required data to the client side application. That way, you just need to store your FMS admin credentials on the server side, and  you don't expose them elsewhere.

     
    |
    Mark as:
  • rajdeeprath
    Currently Being Moderated
    6. rajdeeprath,
    Nov 19, 2010 6:59 AM   in reply to JayCharles
    Report

    So basically if server script makes a request to  fms admin server , the url cannot be captured ?

     

    Had made this post a few days ago. http://flashvisions.com/general/hacking-private-channels-of-ustream/ and i was just worried if FMS credentials can be pulled off just as easy.

     
    |
    Mark as:
  • JayCharles
    Currently Being Moderated
    7. JayCharles,
    Nov 19, 2010 7:00 AM   in reply to JayCharles
    Report

    Alternately, you can connect to the admin service via your FMS application, and then send the required data to the client through the FMs application.

     
    |
    Mark as:
  • rajdeeprath
    Currently Being Moderated
    8. rajdeeprath,
    Nov 19, 2010 7:05 AM   in reply to JayCharles
    Report

    My typical requirement in this case is to retrieve liveStreamstats.. for each stream in its playing page. If calling fms via php is safe then i will prefer that.

     
    |
    Mark as:
  • JayCharles
    Currently Being Moderated
    9. JayCharles,
    Nov 19, 2010 7:17 AM   in reply to rajdeeprath
    Report

    Sure... you can do that. you can use cURL or httprequest on the php side to pull down the data from the FMS admin service, then parse the XML and return the data to the .swf

     

    That said, if the .swf that needs to consume the data is already connected to an FMS application, it may be more efficient to open a connection from the fms application to the admin service, and then have the FMS application send the required data to the .swf over the existing netconnection. That way, you don't need to have the client side app call out to PHP, and the response data will already be native actionscript objects (so you wouldn't have to write code to parse the response data). In this case, you're using the FMS application as a proxy between the client and the admin service.

     
    |
    Mark as:
  • rajdeeprath
    Currently Being Moderated
    10. rajdeeprath,
    Nov 19, 2010 7:20 AM   in reply to JayCharles
    Report

    you mean Netconnection.call ? But actually i dont want swf to be involved in this the data i want to fetch related to stream must be displayed on html page.

     
    |
    Mark as:
  • JayCharles
    Currently Being Moderated
    11. JayCharles,
    Nov 19, 2010 9:37 AM   in reply to rajdeeprath
    Report

    In that case, you'd want to go the PHP route, since the client is not a .swf already connected to an FMS app.

     
    |
    Mark as:
  • rajdeeprath
    Currently Being Moderated
    12. rajdeeprath,
    Nov 21, 2010 1:28 AM   in reply to JayCharles
    Report

    Ok so now we have a issue:

     

    I can execute the url in browser. i get the reply also. But no matter what code i try it wont work when php tries to read the url.

     
    |
    Mark as:
  • JayCharles
    Currently Being Moderated
    13. JayCharles,
    Nov 21, 2010 6:41 AM   in reply to rajdeeprath
    Report

    Can you post the code you're using? It's impossible to help troubleshoot without knowing what you're trying to do.

     

    It would also be helpful to understand the architecture of your deployment. What is your PHP environment? Is your HTTP/PHP server running on the same server as FMS? Provide as much information as possible.

     
    |
    Mark as:
  • rajdeeprath
    Currently Being Moderated
    14. rajdeeprath,
    Nov 21, 2010 5:30 PM   in reply to JayCharles
    Report

    For example the api call ma using  to test is:

     

    http://raja.serveftp.net:1111/admin/ping?auser=admin&apswd=somepass

     

     

     

     

    So i get the above response. Which is correct.

     

    But then when i try using php as shown in the url, http://www.hiteshagrawal.com/php/reading-remote-url-html-source-in-php

    none of the methods seem to work.

     

    Example: http://flashvisions.com/fms.php

     
    |
    Mark as:
  • JayCharles
    Currently Being Moderated
    15. JayCharles,
    Nov 22, 2010 5:45 AM   in reply to rajdeeprath
    Report

    I tried to access http://flashvisions.com/fms.php, but it just times out with no response. It's impossible to know what's happening if the php program doesn't output anything and you don't post your code.

     
    |
    Mark as:
Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points