[consulting] Flash origin policy and untrusted uploads

mark burdett mfburdett at gmail.com
Fri Nov 13 09:04:21 UTC 2009


This is an interesting article about how SWF content can be hidden in
other types of files, and then used to attack the domain from which
the files are served:

http://www.computerworld.com/s/article/9140768/Flash_flaw_puts_most_sites_users_at_risk_say_researchers
http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html

Basically, any site which allows untrusted users to upload files would
be vulnerable, unless the uploaded files are served from a different
domain (as e.g. facebook does with facebook.com vs. fbcdn.net)

--mark B.


More information about the consulting mailing list