| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <41A9C2A0.5070401@umbrella.name> Date: Sun, 28 Nov 2004 20:20:48 +0800 From: Liu Die Yu <liudieyu@...rella.name> To: bugtraq@...urityfocus.com, ntbugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com Subject: Macromedia provided wrong "Solution" in mpsb02-08 there exists a sentence in the "Solution" part of mpsb02-08 located at http://www.macromedia.com/devnet/security/security_zone/mpsb02-08.html ----- For example, if the main page is served from macromedia.com, the wrapper page could be served from external.macromedia.com, and this would prevent any Macromedia Flash movies inside the wrapper page from accessing data associated with macromedia.com. ----- i think: "Macromedia Flash movies inside the wrapper page" got document.domain equal to "external.macromedia.com", then they can invoke "getURL" to set document.domain equal to "macromedia.com", and start "accessing data associated with macromedia.com". =============== i was putting a flash tour on editive.com, and would like flash content hosted on 209.203.227.117 to read editive.com cookie(where the language settings are stored). during googling, i came across this mistake in mpsb02-08. http://editive.com/referrer _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists