Web Hosting Forums

Results 1 to 4 of 4

This is a discussion on Flash Interaction on PHP based CMS Joomla - a genuine request/question in the Hosting Talk & Chit-chat forum
Ignoring the distinct possibility of endless harrassment by a few notable members here, I'd like to get some opinions/suggestions/help on getting Flash to interact with ...

  1. #1
    Loyal Client
    Join Date
    Oct 2003
    Location
    Location: Location:
    Posts
    634

    Flash Interaction on PHP based CMS Joomla - a genuine request/question

    Ignoring the distinct possibility of endless harrassment by a few notable members here, I'd like to get some opinions/suggestions/help on getting Flash to interact with the modestly popular PHP-based CMS, Joomla!

    Right now, I have a functioning registration thingie that sends form variables from Flash via POST to a component called CommunityBuilder. After some hacking about in the core component files, I finally got the sucker to work. It even works properly.

    The basic logic is to send the vars, then listen for and parse the response. Responses come from a config or language file, and are not formatted to play nice with Flash. So I beat them into submission.

    Now the bad news... the current 'security' update to the CB component utterly breaks my shiny new Flash widget. I'll spare the details until someone shows interest.

    My request, then, is to find some kind soul willing to help me build a more robust solution. I'm thinking about building a module for CB that handles requests from sources other than the native form, sort of a remoting solution. I can handle the Flash scripting, but for ease of discussion let's assume I'm functionally illiterate when it comes to PHP.

    I'll take any help I can get from perhaps answering a question or two on up to code warrior. My intent is not to hire someone, but to collaborate. 100% voluntary with no ill feelings about bailing out at any point. What I don't need are lectures about how I should be willing to pay, that I should go learn PHP myself, or anything else that isn't aimed at getting this thing done, however slowly that may be.

    Having said that, I will entertain offers to 'trade skills' or other barters.

    So.... let's open this up, shall we? Comments, questions, and constructive criticisms encouraged.

  2. #2
    Not A Senior Member homoludens's Avatar
    Join Date
    Sep 2005
    Location
    H-Town
    Posts
    569
    What has changed sinced the security update for CB in terms of your request variables? Do your requests get mangled (ie. is CB filtering out suspect characters)? Or is CB / joomla completely blocking the request variables?

    The apps I code have whitelists for request variables stored in config files, so any attempt to add in extra request vars will be blocked by the core. Is there anything similar in CB / joomla?

    Do you have a crossdomain.xml file? I had problems with a flash widget working properly until I included one:

    HTML Code:
    <?xml version="1.0"?>
    <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
    <cross-domain-policy>
    	<allow-access-from domain="www.example.com/" />
    	<allow-access-from domain="subdomain.example.com/" />
    	<allow-access-from domain="example.com/" />
    </cross-domain-policy>
    Perhaps the CB update has replaced an instance of example.com with www.example.com.

    Note:

    HTML Code:
    <allow-access-from domain="*" />
    Introduces a CSRF vulnerability into your webapp, whatever macromedia / adobe might think.

  3. #3
    Loyal Client
    Join Date
    Oct 2003
    Location
    Location: Location:
    Posts
    634
    The CB update includes two additional functions whose names imply an attempt to prevent spoofing and possibly an additional restriction against targeting functions directly from outside the page.

    I don't think there's really a sandbox issue, though I'll try it out. The previous version worked both on the server and when I called the function locally from my desktop - the remote application is not Flash, anyway. But the local file is simply making a call like "http://domain.com/page.php?option=pages&function=register"

    Within Flash, I'm using that with a sendAndLoad() function that specifys the return variable to populate, and the POST method. So, really it's very similar to just entering the URL with options directly into an address bar. Flash just sniffs out the variable name on the return page.

    When I upgraded, the Flash application returned a 'failed to connect' error which is really anything that keeps the page from receiving the POST vars. On the CB end, there is no indication that a registration attempt was made, and I'm not sure how to log such attempts without going through the server logs.

  4. #4
    Not A Senior Member homoludens's Avatar
    Join Date
    Sep 2005
    Location
    H-Town
    Posts
    569
    The CB update includes two additional functions whose names imply an attempt to prevent spoofing and possibly an additional restriction against targeting functions directly from outside the page.
    Can you post details of these functions?

    I don't think there's really a sandbox issue, though I'll try it out. The previous version worked both on the server and when I called the function locally from my desktop - the remote application is not Flash, anyway. But the local file is simply making a call like "http://domain.com/page.php?option=pages&function=register"
    I think we are talking at cross-purposes. This article should make clear what I'm saying.

    Within Flash, I'm using that with a sendAndLoad() function that specifys the return variable to populate, and the POST method. So, really it's very similar to just entering the URL with options directly into an address bar. Flash just sniffs out the variable name on the return page.
    Yeah but if you have a flash widget at www.example.com/widget.swf and pass "http://example.com?var=val" to sendAndLoad() then the flash security model will take you where to stick it.

    It occurred to me that during the php app upgrade, either the url being passed, or the domain the script is served on may have been changed from example.com to www.example.com or vice versa.

    When I upgraded, the Flash application returned a 'failed to connect' error which is really anything that keeps the page from receiving the POST vars. On the CB end, there is no indication that a registration attempt was made, and I'm not sure how to log such attempts without going through the server logs.
    Is LoadVars.onData not giving you any joy?
    Last edited by homoludens; 11-29-2006 at 01:44 PM. Reason: The mangledness of quotage.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •