lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d65cd4390807250653s5dd6a4a3l188e5c42b4ae8c7c@mail.gmail.com>
Date: Fri, 25 Jul 2008 21:53:46 +0800
From: Sowhat <smaillist@...il.com>
To: bugtraq@...urityfocus.com, 
	"Full Disclosure" <full-disclosure@...ts.grok.org.uk>
Subject: Flashblock Bypass

Hi

I accidentally encountered a Flashblock bypass condition today.

For those who dont know what Flashblock it is,
"*Flashblock is an extension for the Mozilla, Firefox, and Netscape browsers
that takes a pessimistic approach to dealing with Macromedia Flash content
on a webpage and blocks ALL Flash content from loading. It then leaves
placeholders on the webpage that allow you to click to download and then
view the Flash content.* "

As stated by Philip Chee, the developer of Flashblock, "Flashblock is a
content blocker pure and simple. Flashblock is not
designed to improve your security at all.".

However, as the flash vulnerabilities become more prevalent,  Flashblock is
recommended to be used to for security purpose.
At least I know lots of security researchers are using  either Flashblock or
Noscripts to block flash.

OK, here comes the Demo:
For those who are using Flashblock with Firefox 3, Go to
http://secway.org/pr14/flashblock.htm

It does not work with FF2, as Philip commented:
"*Unless the embed identifies itself as a flash object in some way we
can't block it. On Firefox 2.0 we can block it because FX2 did some
mime type sniffing and silently added application/x-shockwave-flash
to the embed. Firefox 3.0 is stricter in avoiding mime-type sniffing*."

Anyway, Philip is right, *You can not rely on Flashblock to block all flash
and improve your security*.

Thanks
-- 
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ