I bet this question has been posted earlier also , but i couldnt find it googling. The method used in FMS admin administration reference to access the admin api is like so:
but isn't this unsafe ? i mean any one can see the password this way ??
Few ways to get over this would be to use Server.xml configurations on FMS to allow admin requests only from a trusted domain or a client (IP address) and disallow any other connect requests.
And using rtmpe to connect to admin server would also be safe since its encrypted.
I think the OP was wondering about exposing the username and password on the client side. If the question was actually about man-in-the-middle attacks sniffing out the credentials when making a server to server request, please correct me.
Regardless of the method being used to make the request of the admin service, never expose the admin service credentials to a client side application, unless that application is only accessible to authorized users who should have access to the FMS admin service. If you provide those credentials (via hard code or via service request) to a client side application that is accessible to the public or otherwise unauthorized admin service users, you immediately compromise your server security.
"wondering about exposing the username and password on the client side" - This is what i meant. You see its very easy to use firebug in mozilla firefox to fish out http requests. And then you can clearly see admin username and password in the get request.
That's what i thought you meant.
The answer here is, don't do it. If you need to have data from the admin service provided to your client side application, use a server side application (php, asp, .net, etc) to make the request of the FMS admin service, and then pass only the required data to the client side application. That way, you just need to store your FMS admin credentials on the server side, and you don't expose them elsewhere.
So basically if server script makes a request to fms admin server , the url cannot be captured ?
Had made this post a few days ago. http://flashvisions.com/general/hacking-private-channels-of-ustream/ and i was just worried if FMS credentials can be pulled off just as easy.
Sure... you can do that. you can use cURL or httprequest on the php side to pull down the data from the FMS admin service, then parse the XML and return the data to the .swf
That said, if the .swf that needs to consume the data is already connected to an FMS application, it may be more efficient to open a connection from the fms application to the admin service, and then have the FMS application send the required data to the .swf over the existing netconnection. That way, you don't need to have the client side app call out to PHP, and the response data will already be native actionscript objects (so you wouldn't have to write code to parse the response data). In this case, you're using the FMS application as a proxy between the client and the admin service.
Can you post the code you're using? It's impossible to help troubleshoot without knowing what you're trying to do.
It would also be helpful to understand the architecture of your deployment. What is your PHP environment? Is your HTTP/PHP server running on the same server as FMS? Provide as much information as possible.
For example the api call ma using to test is:
So i get the above response. Which is correct.
But then when i try using php as shown in the url, http://www.hiteshagrawal.com/php/reading-remote-url-html-source-in-php
none of the methods seem to work.
I tried to access http://flashvisions.com/fms.php, but it just times out with no response. It's impossible to know what's happening if the php program doesn't output anything and you don't post your code.
Europe, Middle East and Africa