Community Support Forums — WordPress® ( Users Helping Users ) — 2011-09-01T13:59:51-05:00 http://www.primothemes.com/forums/feed.php?f=4&t=14668 2011-09-01T13:59:51-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=33656#p33656 <![CDATA[Re: Amazon bucket and direct download vulnerability]]> viewtopic.php?f=4&t=14780

Statistics: Posted by Cristián Lávaque — September 1st, 2011, 1:59 pm

]]> 2011-08-30T22:15:28-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=33463#p33463 <![CDATA[Re: Amazon bucket and direct download vulnerability]]> Statistics: Posted by Jason Caldwell — August 30th, 2011, 10:15 pm

]]> 2011-08-30T21:13:06-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=33458#p33458 <![CDATA[Re: Amazon bucket and direct download vulnerability]]>
OK, it's all fixed now. They did reset my account and it's working as it suppose to now. So easy, it took my almost 4 days..that's all. LOL, they are going to refund this month and last month fees :D :D :D

OK, now comes the fun stuff. I will create a new thread regarding video streaming and ways to server files across multiple platforms.

Thank you Jason for all your help

Sam

Statistics: Posted by drbyte — August 30th, 2011, 9:13 pm

]]> 2011-08-30T20:13:29-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=33453#p33453 <![CDATA[Re: Amazon bucket and direct download vulnerability]]>
Code:
{
  "Version":"2008-10-17",
  "Statement":[{
   "Sid":"AllowPublicRead",
      "Effect":"Allow",
     "Principal": {
         "AWS": "*"
       },
     "Action":["s3:GetObject"],
     "Resource":["arn:aws:s3:::the bucket name/*"
     ]
   }
  ]
}


Yet, when I look at the permission it's all correct. I keep deleting it but it keeps coming back. Any Idea Jason

I am awaiting Amazon Support to figure it out because this is not good. All of my buckets have the same above policy that I can't get ride off

:evil:

Statistics: Posted by drbyte — August 30th, 2011, 8:13 pm

]]> 2011-08-30T19:44:13-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=33448#p33448 <![CDATA[Re: Amazon bucket and direct download vulnerability]]> Well, I am working on new set of keys now and a new bucket. Not sure what's going on but I have sent Amazon support a ticket regarding my account.

I will post my finding

Sam

Statistics: Posted by drbyte — August 30th, 2011, 7:44 pm

]]> 2011-08-30T19:34:56-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=33443#p33443 <![CDATA[Re: Amazon bucket and direct download vulnerability]]> Here is an example to go by Sam.

Please let me know if anything continues to cause problems in this regard.
Private file: https://s3.amazonaws.com/ws-s2member-files/video.mp4
( click screenshots to enlarge )

s3-bucket-permissions.png
s3-file-detais.png
s3-file-permissins.png

Statistics: Posted by Jason Caldwell — August 30th, 2011, 7:34 pm

]]> 2011-08-30T19:08:11-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=33440#p33440 <![CDATA[Re: Amazon bucket and direct download vulnerability]]>
Thank you. I will try with Amazon first. I'm going to create another key and go from there.

What's the correct ACL permission for the individual files inside the bucket?

Sam

Statistics: Posted by drbyte — August 30th, 2011, 7:08 pm

]]> 2011-08-30T16:43:45-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=33396#p33396 <![CDATA[Re: Amazon bucket and direct download vulnerability]]> Hi Sam, thanks for the follow-up!

As a member:

This:

Code: Select all
http://www.site.com/?s2member_file_inli ... /video.mp4

Translate to this:

Code: Select all
http://bucketname.s3.amazonaws.com/vide ... xgZY3kk%3D

Which the only part that I need is this: http://bucketname.s3.amazonaws.com/video.mp4 to make my case, the rest does not server any good for the above example. since that file if open to public then it's freely can be copied, downloaded, and embedded on the net.

Just to make sure you're experiencing what *should* be happening
with the configuration that s2Member expects.

For Members, if allowed, this link WILL work,
but only if they're logged-in, and have permission, based on your configuration of s2Member:
Code:
http://www.site.com/?s2member_file_inline=yes&s2member_file_download=/video.mp4

For Members and/or anyone in the public for that matter, this link should NEVER ( ever ) work:
Code:
http://bucketname.s3.amazonaws.com/video.mp4
This link should NEVER work, because your Amazon S3 Bucket should be secured from public access. In other words, the only way anyone should be allowed access to files inside your private Bucket at Amazon S3, is if/when s2Member produces a temporary authorization link, to a particular file that resides in your private Bucket, such as this one ( notice the AWSAccessKeyId & Expires parameters ):
Code:
http://bucketname.s3.amazonaws.com/video.mp4?response-cache-control=no-cache%2C+must-revalidate%2C+max-age%3D0%2C+post-check%3D0%2C+pre-check%3D0&response-content-disposition=inline%3B+filename%3D%22video.mp4%22&response-content-type=video%2Fmp4&response-expires=Tue%2C+23+Aug+2011+07%3A32%3A11+GMT&AWSAccessKeyId=AKIAJYAXYKPMZ2EFF5LA&Expires=1314689561&Signature=v4DJAznbWd6qETm6U2MHxgZY3kk%3D

So it should not matter that your Bucket name is exposed, because your Bucket should be off limits to all forms of public access anyway. If this is NOT the case for you, I'm guessing it could have something to do with your CloudFront distribution, or possibly with the permissions ( i.e. ACLs ) configured for this Bucket, or even configured on a per-file basis.

Regarding your frustration over finding a cross-compatible solution. I'm going to take a closer look at CloudFront before the next round of changes, and I'll see what we can come up with. I too would like to get this working for all browsers and mobile devices in a cross-compatible way. If we can't get it working with CloudFront, we may try CloudFlare, or another combination to meets the needs of all devices, as we are currently investigating this as a possible alternative in other areas anyway.

In the mean time, please let me know if you have any other suggestions. I'll keep this thread handy and use it as a reference as we work to improve this aspect of s2Member.

What concerns you about this? Can you please share your thoughts on a solution that might incorporate HTML5 video tags for me?

The only solution that seems to work with apple devices and the rest (-windows mobile) without any problems is the HTML5 video tags.

Statistics: Posted by Jason Caldwell — August 30th, 2011, 4:43 pm

]]> 2011-08-30T03:32:20-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=33327#p33327 <![CDATA[Re: Amazon bucket and direct download vulnerability]]>
Thank you for the explanation and the links. Unfortunately that kind of authentication is easily broken. I understand the bucket authentication and all what follows but that's not what I am experiencing.

I am not worrying about my members downloading the video files. Actually I want them to do so because it makes them happy, and happy means more dollars in my account. What I am worrying about is one of them getting hold of the actual amazon url and freely distribute them on the net, or opening a web site while I am paying price.

Since you think it's not a problem to other users then I can discuss it here.

If you have a video files Jason in one of you amazon buckets I would like to become a member and view that file. Having said that, I will be able to tell you the bucket name & the file and have that video file streaming on my site.


Let's put it in urls

As a member:

This:

Code:
http://www.site.com/?s2member_file_inline=yes&s2member_file_download=/video.mp4


Translate to this:

Code:
http://bucketname.s3.amazonaws.com/video.mp4?response-cache-control=no-cache%2C+must-revalidate%2C+max-age%3D0%2C+post-check%3D0%2C+pre-check%3D0&response-content-disposition=inline%3B+filename%3D%22video.mp4%22&response-content-type=video%2Fmp4&response-expires=Tue%2C+23+Aug+2011+07%3A32%3A11+GMT&AWSAccessKeyId=AKIAJYAXYKPMZ2EFF5LA&Expires=1314689561&Signature=v4DJAznbWd6qETm6U2MHxgZY3kk%3D


Which the only part that I need is this: http://bucketname.s3.amazonaws.com/video.mp4 to make my case, the rest does not server any good for the above example. since that file if open to public then it's freely can be copied, downloaded, and embedded on the net.

For None Members:

This:

Code:
http://www.site.com/?s2member_file_inline=yes&s2member_file_download=/video.mp4


Translate to:

Code:
http://www.site.com/sing-up.php


Which is good.


The bucket is secured, I understand this but the files aren't. Bucket domain policies does not work. I tried all of them. for some reason Amazon is refusing to respond to the huge demand of implementing some sort of solid bucket policy or even a small script for CloudFront users to protect their files. It seems they only worry of how much $$ goes to their bank account.

CouldFront uses Adobe Flash Media Server 4. I have that installed on one of my servers. I have applied full security restrictions and it's working 100% BUT I can't deliver media to iPhone and iPad users. It's Flash. The only thing they have is a quick fix using Live Streaming and that work on some Apple devices.

So, I have Wowza media server 2 on another server and that works perfectly fine. I have to use JWPlayer, Or Flowplayer to stream the media to devices. Again, Apple devices does not seem to like the idea that there is another plugin other than QuickTime trying to provide media playback. All sorts of problem we had with Wowza and Apple devises (So they say it support them but good luck). Another issues we had is that SSL streaming is not available at this moment to Apple gadgets.

The only solution that seems to work with apple devices and the rest (-windows mobile) without any problems is the HTML5 video tags.

I even have a Windows 2008 IIS Media server installed, LOL, Beautiful smooth streaming an tons of security options but it does not stream to the Android devises :evil:

So, back to F4M....They support http streaming but it's wide open to the public. The only way to block that is to buy Adobe Access. At this point I am broke. Beside the fact, S2M (at this point) does not support any other storage other than s2m files folder or amazon s3. That's why I asked you if I can have something else beside these 2. I'm sure you are working on something..I can smell it form here :)

I am not sure why it's so difficult to server a secure media files over the Internet but It seems it's nothing but a corporate greed

Sorry I went far off the main subject.

Anyway, yes Jason, if you are a member on my site and your type the url above on the address bar it will get you the exact location of the file on Amazon S3

Unless I am missing something in the code.

Thank you

Sam

Statistics: Posted by drbyte — August 30th, 2011, 3:32 am

]]> 2011-08-29T12:45:49-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=33242#p33242 <![CDATA[Re: Amazon bucket and direct download vulnerability]]> Thanks Sam. I just got your email.

While it's true that s2Member will expose the name of your Amazon S3 Bucket, that does not create a vulnerability unless you allow it to. That is, the Amazon S3 Bucket that you use in combination with s2Member should NOT be available to the public. If configured properly, files inside your Amazon S3 Bucket will only be available to authenticated members on your website.

*Dev Note* s2Member uses "Query String Authentication", provided by the Amazon® S3 API. Documented for developers here. To put it simply, s2Member will generate S3 authenticated redirect URLs ( internally ); which allow Customers temporary access to specific files inside your S3 Bucket.

s2Member assumes that you're creating a new Amazon® S3 Bucket, specifically for s2Member-protected files; and that your Bucket is NOT available publicly. In other words, if you type this URL into your browser ( i.e. http://s3.amazonaws.com/your-bucket-name/ ), you should get an error that says: Access Denied. That's good, that's exactly what you want.

See this thread for details: viewtopic.php?f=4&t=10054&p=20269&hilit=amazon+permissions#p20269

Now, introducing CloudFront will create a vulnerability for you. s2Member is currently NOT integrated with CloudFront, though we may try to improve on this in a future release. Configuring CloudFront will create a distribution of your otherwise protected files, making them all public. So if you need CloudFront, you won't be able to protect your files with s2Member at this time ( i.e. v110815 ) at this time.

Again, s2Member integrates with Amazon S3 only at this time, using the API methods provided by Amazon, as discussed here: http://docs.amazonwebservices.com/Amazo ... ation.html

Statistics: Posted by Jason Caldwell — August 29th, 2011, 12:45 pm

]]> 2011-08-27T22:11:21-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=33137#p33137 <![CDATA[Re: Amazon bucket and direct download vulnerability]]>
Jason Caldwell wrote:
Hi Sam. So just to be clear.

The vulnerability that you found is when/if CloudFront is introduced, is that right?
I'm assuming that you configured CloudFront as "Streaming". That explains why you're having better luck with videos and seeking. Traditional file delivery protocols do not support "streaming" media, but a CloudFront Distribution can be configured to do so.

I'm not sure if it's possible to integrate s2Member with the Amazon S3 / CloudFront combination though, is it? Please enlighten me if you'd like to. I must confess, I don't much about CloudFront yet, and s2Member's file delivery integration with Amazon S3 is not currently designed to work with CloudFront, as this essentially creates an open distribution, making files vulnerable, or am I missing something?


Not really Jason. I configured CloudFront as "Download" and it's working much better than just using Amazon S3 alone. Smooth seeking with Amazon S3 Alone is not possible with iphone, ipad, ipod and androids. Media larger than 100MB.

I suppose using CloudFront uses cache to preload a movie rather than just S3 trying to serve the media using just bandwidth.

I emailed you back with my finding. Have fun and drive safe.

Sam

Statistics: Posted by drbyte — August 27th, 2011, 10:11 pm

]]> 2011-08-27T18:05:14-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=33122#p33122 <![CDATA[Re: Amazon bucket and direct download vulnerability]]> Hi Sam. So just to be clear.

The vulnerability that you found is when/if CloudFront is introduced, is that right?
I'm assuming that you configured CloudFront as "Streaming". That explains why you're having better luck with videos and seeking. Traditional file delivery protocols do not support "streaming" media, but a CloudFront Distribution can be configured to do so.

I'm not sure if it's possible to integrate s2Member with the Amazon S3 / CloudFront combination though, is it? Please enlighten me if you'd like to. I must confess, I don't much about CloudFront yet, and s2Member's file delivery integration with Amazon S3 is not currently designed to work with CloudFront, as this essentially creates an open distribution, making files vulnerable, or am I missing something?

Statistics: Posted by Jason Caldwell — August 27th, 2011, 6:05 pm

]]> 2011-08-27T17:44:00-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=33119#p33119 <![CDATA[Re: Amazon bucket and direct download vulnerability]]>
drbyte wrote:
Is he taking cover from Hurricane Irene that is passing by the East Coast? I know he's in Georgia but not sure how close the hurricane will come his way...I suppose just the end of it

Hey Sam, just got your email and Cristián pointed me to this thread, I'll take a closer look shortly.

Thanks for your concern about Irene. Actually, I'm on the road right now. I'm in Oregon, about to travel down through California. We're good over here :-). No earthquakes/storms over here yet, thank goodness.

Statistics: Posted by Jason Caldwell — August 27th, 2011, 5:44 pm

]]> 2011-08-26T23:32:38-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=33010#p33010 <![CDATA[Re: Amazon bucket and direct download vulnerability]]> Statistics: Posted by drbyte — August 26th, 2011, 11:32 pm

]]> 2011-08-26T23:08:48-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=33001#p33001 <![CDATA[Re: Amazon bucket and direct download vulnerability]]> Statistics: Posted by Cristián Lávaque — August 26th, 2011, 11:08 pm

]]> 2011-08-26T02:55:38-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=32931#p32931 <![CDATA[Re: Amazon bucket and direct download vulnerability]]>
Well, the first part is what we suppose to protect is easily can be figured out and that's what I want Jason to look at. I can email you what I have.

The second part is what seems to be AppleLand want to be different and difficult. Well, it's all smart phones and tablets. The problems is huge when you serve large media to those devices. On the Android part, it will play just fine until you slide your finger on the seek bar...that's when it all goes bye bye, koko, and adios.

You will have to reload the page and start the media from the beginning. These devices wont function correctly when S3 & S2M serves the media directly for the bucket

Same goes for the iPhone and the iPad with sour cream and a red Chili. They don't like direct URL that contain "?". Especially the iPad, Holly crap, and good luck.

So, I turned to Amazon CloudFront using the http download option. PERFECT (speed & smooth seek). It plays perfectly using the video tags. No need to any plugin if you are planning to deliver the media via Android, iPhone and the iPad.

Now, the catch for the above is not to hide the bucket name and use cname (CNAME). It works 100% on all devices when configured but you'll have to use a subdomain. Meaning http://media.wesite.com

So instead of having a link that looks like http://bucketname.s3.amazonaws.com/test.mp4, it would be http://media.website.com/test.mp4

You can accomplish this using S2M and S3.....and that's a problem

If S2M can protect subdomains then we don't have to worry about some people taking http://media.website.com/test.mp4 and sticking it in their player (If). Will it work....not sure..I can't test it.

Well, if somebody got hold of the media..which can be viewed by looking at the log...all what you have to do is change your cname name and all the hotlinking will be broken

S3 alone speed range between 200 & 480Kbps. S3 & CloudFront speed range from 700 to 1200Kbps. Amazing ha!!! Serving files between 150 to 800MB)

Seek time on devises using S3 is not possible. Using CloudFront is smooth as silk.

:?

Statistics: Posted by drbyte — August 26th, 2011, 2:55 am

]]> 2011-08-26T01:38:49-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=32923#p32923 <![CDATA[Re: Amazon bucket and direct download vulnerability]]>

drbyte wrote:
Can s2m protect subdomains? http://site.main.com using URI Level Access Restrictions...If not..is there a hack for it?


No, s2Member can only protect content delivered via the WordPress installation it's in. What do you need to protect? Another script?

Statistics: Posted by Cristián Lávaque — August 26th, 2011, 1:38 am

]]> 2011-08-25T23:10:20-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=32919#p32919 <![CDATA[Re: Amazon bucket and direct download vulnerability]]>
Can s2m protect subdomains? http://site.main.com using URI Level Access Restrictions...If not..is there a hack for it?

Sam

Statistics: Posted by drbyte — August 25th, 2011, 11:10 pm

]]> 2011-08-25T07:59:29-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=32875#p32875 <![CDATA[Re: Amazon bucket and direct download vulnerability]]>
I don't think there is a fix for this one, so there has to be another alternative way to deliver inline media files using S3&S2M.

Statistics: Posted by drbyte — August 25th, 2011, 7:59 am

]]> 2011-08-25T03:04:47-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=32852#p32852 <![CDATA[Re: Amazon bucket and direct download vulnerability]]> Statistics: Posted by Cristián Lávaque — August 25th, 2011, 3:04 am

]]> 2011-08-24T21:23:20-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=32817#p32817 <![CDATA[Re: Amazon bucket and direct download vulnerability]]>
I did, couple of times last night. I am awaiting his response.

Statistics: Posted by drbyte — August 24th, 2011, 9:23 pm

]]> 2011-08-24T20:24:09-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=32812#p32812 <![CDATA[Re: Amazon bucket and direct download vulnerability]]> http://s2member.com/contact

Statistics: Posted by Cristián Lávaque — August 24th, 2011, 8:24 pm

]]> 2011-08-24T01:38:55-05:00 http://www.primothemes.com/forums/viewtopic.php?t=14668&p=32765#p32765 <![CDATA[Amazon bucket and direct download vulnerability]]>
Can you please email me. There is a major leak in the url associated with some certain products using Amazon bucket name and s2member

Sam

Statistics: Posted by drbyte — August 24th, 2011, 1:38 am

]]>