lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <aff68f010607261943u1eda0e4dj9436fff60a210689@mail.gmail.com>
Date: Wed, 26 Jul 2006 22:43:01 -0400
From: 3CO <threecheeseopera@...il.com>
To: "Amit Klein (AKsecurity)" <aksecurity@...pop.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Write-up by Amit Klein: "Forging HTTP request headers with Flash"

FYI Flash9 added a new property for object and embed tags to prevent
this technique from being used: "allowNetworking":
http://livedocs.macromedia.com/flex/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00001590.html

That page doesn't explicitly list LoadVars as being disallowed, but I
just tested, and it is true.

For instance, Myspace has added that to all embed tags to prevent fun
from occurring.

Great paper though (as usual); thanks.

On 7/26/06, Amit Klein (AKsecurity) <aksecurity@...pop.com> wrote:
> Hi
>
> A reader going by the nickname "xeek" pointed out to me that
> the examples in the paper making use of the HTTP GET request
> do not work as-is (thanks xeek!). After looking at the matter,
> I realized that I made a silly mistake. In my research, I
> toyed with the LoadVars.send() method with 2 arguments
> (url and target window), and had Flash automatically
> select the appropriate methd (GET if empty body, POST if
> non-empty body). The exploit works fine this way. When I
> documented my findings, I decided to explicitly add the HTTP
> method, to clarify the write-up. BIG mistake - turns out
> that in such case, Flash doesn't send the headers if GET is
> used (sounds like a bug...). And pity I didn't verify the exact
> code I used in the write-up...
>
> Anyway, to summarize - there's a mistake in the document,
> and it's easily fixed. In each GET example, simply remove
> the explicit method (i.e. delete all instances of ,"GET" in
> the write-up). For example (the first example in the paper):
>
> [...]
> req.send("http://www.vuln.site/some/page.cgi?p1=v1&p2=v2",
>          "_blank");
>
> This works as advertised, and as also verified by xeek.
>
> Thanks, and sorry for the mistake,
> -Amit
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ