1 voted yes Amazon S3 Security Vulnerability Fix
Already begging for attention for this Amazon S3 CDN phpFox security vulnerability for about 1,5 year now.
Amazon S3 offers authentication and expiring url's to files which is great (read: ESSENTIAL) for membership sites.
This way members from a particular level (like VIP or whatever) can access particular files while other membership levels can not.
Even if USER-A is in a VIP membership he can not share it (videolinks, audiolinks, images, pdf, etc. hosted on S3) with his buddy USER-B as the links are authenticated and self expiring after XX seconds.
Right now if you mirror a phpFox site with offline browser software (such as Teleport) you can index all links to Amazon S3 and literally rip all content even if you're not a member at all.
Imagine the bandwidth costs for the website owner when this vulnerability gets exploited (imagine you're a website owner and host multiple terrabyte of media on S3) and also the privacy settings for users content are totally useless since all images, video's, etc. are easily accessible via Amazon S3.
So even if your members set their content to private and/or password protect it you can easily bypass this protection.
What do we really need?
-. S3 URL Authentication
-. Expiring URL's (admin can set XX seconds/minutes/hours the link is valid. After the set time a page refresh is required to get new url's)
Please note that it is NOT only about simply disabling XML preview that shows all files in the S3 folder.
It goes way way deeper than that and we REALLY need this to get fixed.
Already opened a bugreport about a year ago but then got the standard "working as designed" status.
Clearly to me that people really underestimate this security vulnerability.
So because of that "working as designed" status i try to get this fixed by a "feature request" (while it isn't a feature, but who cares, as long as it get fixed!).
it must works/ fixed for all hosting, not only amazon s3.
we need to save bandwith and also server load all the time
If possible we need to optimize the phpfox for amazon cost.
as many things are counted as cost.
better if phpfox can minimize the cost too
I apologize for the ignorance but I could not find an answer from the official amazon documents (http://aws.amazon.com/cloudfront/ vs http://aws.amazon.com/s3/ ).
1- Wasn't Amazon S3 a CDN? I always thought S3 was a CDN but now there is CloudFront
2- What is the difference between S3 and CloudFront?
And lastly, this I borrow from the Cloudfront link I provided above:
"This could be another Amazon Web Service – Amazon S3 bucket, Amazon EC2 instance – or this could be your own origin server."
which brings my third question:
3- Why would you use S3 with CloudFront (paying for two services) if you can use the very first object from your server? All subsequent requests should be taken from CloudFront since it is a CDN.
Thank you for enlightening me
And on top of my replies check this out http://www.labnol.org/internet/lower-amazon-s3-bil...
Great little tweak i would love to see phpFox Devs implement in the script.
It's a tiny tweak that saves money and also improve website loading time!
Win-Win!
@Matt
Here another informative article about S3 and Cloudfront CDN http://net.tutsplus.com/articles/general/superchar...
Besides that there is a small warning here http://stackoverflow.com/questions/3327425/when-to... that might be an issue.
This saves you having to duplicate your assets as you would when you use Amazon S3.
however after a file expires, Cloudfront will fetch it again from your live site (at cost). So cloud front is best for frequently accessed files, and less so for infrequently accessed ones.
one way to set the file expiry for apache is in .htaccess. for example
<filesMatch "\\.(mp3|mp4)$">
Header set Cache-Control "max-age=648000, private"
</filesMatch>
What about a radiobutton in the adminCP to let the admin decide whether to use Cloudfront as well besides S3?
Hi Matt,
Thanks for having your attention for this issue.
Answer 1: Please read this great info http://www.whoishostingthis.com/blog/2010/06/28/am...
Answer 2: http://aws.amazon.com/cloudfront/faqs/#How_is_Amaz... and also might wanna check out http://www.bucketexplorer.com/documentation/cloudf...
The only thing i really ask for is to make everything completely secure the way i mentioned in the OP (S3 URL Authentication and Expiring URL's).
PLEASE now when you dig into this S3 issue can you also provide a radiobutton for the admin to select whether he wants to provide files (video/audio/pdf/whatever) from his local server or not: http://www.phpfox.com/forum/troubleshooting-and-pr...
The issue in that thread describes that we are paying double costs (S3 and server bandwidth and server diskspace) to serve the content, which makes no sense.
Most people (regardess of shared hosting, dedicated or VPS) are limited to let's say 500GB diskspace by their host, therefor use S3/Cloudfront to serve/stream the files to members.
If you want to discuss anything about this feel free to PM me Matt.
Thanks in advance.
You can control this in S3 by only allowing your URL to access the data, all others are denied. Any scanner will not be your URL/IP and will not be able to scan directories for content as it gets denied, so I disagree that it's a phpfox bug, it's poor implementation on the S3 side of the user setting it up. S3 has many options for security, it would be a good idea for anyone using S3 to upgrade to CloudFront, connected to the S3 bucket. S3 is not recognized as a content delivery network, it's a storage engine with slower connections and weaker security, because it's a storage engine. CloudFront connected to S3 is a CDN recognized by Google Page Speed, etc. and offers faster, more reliable content delivery across the AWS network and security. phpfox doesn't need to be edited to do this, except for the URL field where you put the Cloudfront URL in there instead of S3, with https://
As for stopping scanners, curious people who follow direct links to directories, etc. just create a bucket policy and paste this in, editing example.com with your site's domain so only your domain can get and post content to the bucket, then replace 'bucketname' with your bucket's name. Use CloudFront though! The reverse DNS breaks down any IP spoofing and saves your privacy:
{
"Version": "2012",
"Id": "http referer policy",
"Statement": [
{
"Sid": "Allow get requests referred by www.example.com and example.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": [
" http://www.example.com/ *",
" http://example.com/ *"
]
}
}
}
]
}
And that's it! To create a bucket policy just right click on your bucket name, then find the Edit Bucket Policy button, click it, create a policy, paste the above in after you edit it with your site's info.
You totally missing the point netsi22!
I already explained in this thread that it's plain simple to fake referrers, so even if you setup a referrer "lock" that checks whether the referrer is coming from YOUR site or not is a clear amateuristic fix.
Unbelievable after seeing this video you still miss the point!
http://www.youtube.com/watch?v=YMCW0VTuJ7o
FYI, the bucket policy isn't applied to CloudFront. For CloudFront you have to use the instruments "Finally" is requesting as a feature.
Wow, thanks. This is a top priority for phpFox CMS. Its a disaster that can affect lots of membership sites that are powered by phpFox.
Amazon S3 is cheaper and faster, but unless phpFox fix this, then the S3 is useless.
And thanks for the YouTube video too.
Thanks Potok.
I realized i might have been too technical with my explain but that video (and voice over) speak for itselves.
Unfortunately i wasn't able to add the video to the original post on top anymore (edit) so i posted it in a comment instead.
