What I mean is: if I can sniff what typed VO an application is receiving, I can "craft" an AMF packet with: - call to "deleteUser" - the same VO "type" (simplified: as we know that this is just a string of the class name followed by other strings describing property names and other binary data with property values etc etc etc)
The gateway (fluorine, openamf, fds ... anything) will see a "valid" object/type. There is no type-coercion error here. This is an easy task to do with AMF knowledge. Bottom line: I don't think that passing simple types, untyped VOs or typed VOs makes any difference from security point of view. Mit freundlichem Gruß, Zoli ________________________________ From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Mineault Sent: Thursday, January 18, 2007 6:29 PM To: flexcoders@yahoogroups.com Subject: Re: [flexcoders] AMFPHP & Security Wouldn't Fluorine and OpenAMF throw a type-coercion error, given that the first argument is typed? Of course, the code in the constructor would be called anyways. Patrick
