| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Jul 2006 07:52:04 +0200 From: "Amit Klein (AKsecurity)" <aksecurity@...pop.com> To: 3CO <threecheeseopera@...il.com> Cc: bugtraq@...urityfocus.com Subject: Re: Write-up by Amit Klein: "Forging HTTP request headers with Flash" On 26 Jul 2006 at 22:43, 3CO wrote: > FYI Flash9 added a new property for object and embed tags to prevent > this technique from being used: "allowNetworking": > http://livedocs.macromedia.com/flex/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00001590.html > > That page doesn't explicitly list LoadVars as being disallowed, but I > just tested, and it is true. > The way I understand that help page, allowNetworking is part of the OBJECT/EMBED tag. Now, keep in mind that in the attack vectors described in my paper, the victim user/browser visits a malicious site (e.g. by clicking a malicious link), so the way Flash is invoked is completely controlled by the attacker (either the attacker provides the Flash object directly, by a link ending with ".swf", or the attacker provides a link to an HTML page containing an OBJECT/EMBED tag). And the attacker would surely not include the allowNetworking attribute in his/her page ;-) > For instance, Myspace has added that to all embed tags to prevent fun > from occurring. > That's a different story. MySpace faces a much more complex situation, wherein the attacker may very well be a user in MySpace allowed to upload HTML pages and Flash objects/links to MySpace. In MySpace's context, allowNetworking may be more relevant. > Great paper though (as usual); thanks. > Thanks for reading :-) -Amit
Powered by blists - more mailing lists