lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-id: <44C870A4.1028.122236@localhost>
Date: Thu, 27 Jul 2006 07:52:04 +0200
From: "Amit Klein (AKsecurity)" <aksecurity@...pop.com>
To: 3CO <threecheeseopera@...il.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Write-up by Amit Klein: "Forging HTTP request headers with Flash"

On 26 Jul 2006 at 22:43, 3CO wrote:

> FYI Flash9 added a new property for object and embed tags to prevent
> this technique from being used: "allowNetworking":
> http://livedocs.macromedia.com/flex/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00001590.html
> 
> That page doesn't explicitly list LoadVars as being disallowed, but I
> just tested, and it is true.
> 

The way I understand that help page, allowNetworking is part of the OBJECT/EMBED tag. Now,
keep in mind that in the attack vectors described in my paper, the victim user/browser
visits a malicious site (e.g. by clicking a malicious link), so the way Flash is invoked
is completely controlled by the attacker (either the attacker provides the Flash object 
directly, by a link ending with ".swf", or the attacker provides a link to an HTML page
containing an OBJECT/EMBED tag). And the attacker would surely not include the 
allowNetworking attribute in his/her page ;-)

> For instance, Myspace has added that to all embed tags to prevent fun
> from occurring.
>

That's a different story. MySpace faces a much more complex situation, wherein the attacker
may very well be a user in MySpace allowed to upload HTML pages and Flash objects/links to
MySpace. In MySpace's context, allowNetworking may be more relevant.

> Great paper though (as usual); thanks.
>

Thanks for reading :-)

-Amit

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ