[consulting] Flash origin policy and untrusted uploads
mark burdett
mfburdett at gmail.com
Fri Nov 13 09:04:21 UTC 2009
This is an interesting article about how SWF content can be hidden in
other types of files, and then used to attack the domain from which
the files are served:
http://www.computerworld.com/s/article/9140768/Flash_flaw_puts_most_sites_users_at_risk_say_researchers
http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html
Basically, any site which allows untrusted users to upload files would
be vulnerable, unless the uploaded files are served from a different
domain (as e.g. facebook does with facebook.com vs. fbcdn.net)
--mark B.
More information about the consulting
mailing list