SWX: SWF Data Format

Icon

SWX is the native data format for Adobe Flash. This blog is about all things SWX, SWX RPC, SWX PHP and the SWX APIs (Flickr, Twitter, etc.)

Sep 27, 2007

Security patch for SWX PHP 1.0/1.0.1

If you have deployed SWX PHP 1.0 or 1.0.1 (not the SWX PHP Deployment Bundle) to a public server, then please download showsource.php.zip and unzip it into the /php/services/_idvr/ folder on your server to fix a potentially exploitable security issue with the showsource.php file that displays the source code for your services in the browser.

The issue will also affect the SWX MAMP Bundle if you have deployed that to a public server (which you should not do in any case as MAMP is not secured for deployment).

Thanks go to Sébastien Ballesté-Antich for reporting the issue after discovering it on the SWX homepage. Normally, this should not affect you as you should only deploy the SWX PHP Deployment Bundle to a public server. (The SWX homepage runs an instance of the full SWX PHP package to demostrate the Start Page and other features). I've now patched the SWX PHP instance on the SWX homepage with this update.

The SWX PHP Deployment Bundle is a bare-bones version of SWX PHP that doesn't contain the fancy Start Page, etc., that the development version has.

To clarify, this is not a security issue with the SWX RPC gateway or assembler itself in the SWX PHP implementation but with an unrelated file that is used to display the source code of your PHP service classes through the browser when using the SWX PHP Start Page during development and it affects development versions of SWX PHP only.

The SWX PHP Deployment Bundle is not affected by this issue.

6 Responses

  1. Nederflash says:
    September 27, 2007 at 4:48 pm

    SWX PHP 1.0/1.01 veiligheids patch…

    Wanneer je SWX PHP 1.0 of 1.01 op een publieke server hebt gezet (Niet de SWX PHP Deployment Bundle) download dan de showsource.php.zip en unzip die in de /php/services/_idvr/ folder. Dit stopt het potentieel exploitabel probleem met het showsource.php…

  2. Magirus says:
    September 27, 2007 at 4:49 pm

    There seems to be a typo in the link to the patch file. Can’t download it. Could you please correct the link.
    Thanks al lot

  3. aral says:
    September 27, 2007 at 5:04 pm

    Hi Magirus,

    *Three* typos in one URL to be exact! :) Wow, so that’s what happens when you work from the airport. Thanks so much for pointing it out — the link should work now.

  4. mxmotion says:
    November 11, 2007 at 12:31 am

    Hi Aral… i have downloaded the showsource.php.zip but i can’t open it because is password protected.
    can you help me?

  5. dani says:
    November 20, 2007 at 3:07 pm

    Hi Aral,

    I’m a little bit confused about the deployment bundle. Why is the service explorer and analyzer included? I’m also getting the “fancy” start-page. Leaving all the services open for everyone isn’t pretty safe, isn’t it?

    I used this link:
    http://swxformat.org/downloads/swx_php_deployment_bundle_1.01.zip

    I understand a deployment bundle as a naked version of swx, without any debugging tools and no frontend!?

  6. aral says:
    November 20, 2007 at 3:14 pm

    Hi Dani,

    You’re right, that is the idea and the current version falls short of the mark. I’ll make sure that the next version of the deployment bundle is even more indecent naked :)

About SWX

SWX is the native data format for the Flash Platform.

SWX on Twitter