Adobe Flash Design Flaw
| Author |
Message |
layingback
Joined: Apr 19, 2004
Posts: 953
|
|
| Back to top |
|
 |
Dizfunkshunal
Joined: Mar 23, 2006
Posts: 2079
|
 Post subject: Re: Adobe Flash Design Flaw
Posted: Fri Nov 13, 2009 2:16 pm |
 |
Dont use flash for interactive content!!!!!!!!!!!!! EX: Forums, login scripts, download/upload scripts etc. Been saying that for years.
_________________
Diz Web Design Status: Open (Use of resources requires registration.)
Dizfunkshunal's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Multiple Setups |
|
| Back to top |
|
|
DJ Maze
Joined: Apr 19, 2004
Posts: 5668
Location: http://tinyurl.com/5z8dmv
|
Post subject: Re: Adobe Flash Design Flaw
Posted: Fri Nov 13, 2009 9:15 pm |
|
This issue is so normal.
If a website allows me to upload javascript, the issue is still the same.
Read cookie and forward cookie to malicious domain, voila!
_________________
There are two paths, the short one and the long one.
When you choose the short path you will notice it takes longer then the long path.
So READ the FAQ and Wiki first 
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 12 / 2.2.15 / 5.1.47 / 5.3.3 / CVS |
|
| Back to top |
|
|
layingback
Joined: Apr 19, 2004
Posts: 953
|
Post subject: Re: Adobe Flash Design Flaw
Posted: Sat Nov 14, 2009 8:33 am |
|
True.
But are the content-type header checks enough to protect against an overloaded GIF, jpg, pdf, zip carrying a flash - or other - payload?
_________________
Pro_News: The complete module for Dragonfly - now available as version 3.3
layingback's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
2.6 - 3.6 / 1.3.42 - 2.2.12 / 5.0.92 - 5.1.37 - 5.1.54 / 4.4.49 - 5.2.17 - 5.3 / 9.2.1 |
|
| Back to top |
|
|
DJ Maze
Joined: Apr 19, 2004
Posts: 5668
Location: http://tinyurl.com/5z8dmv
|
Post subject: Re: Adobe Flash Design Flaw
Posted: Sat Nov 14, 2009 12:14 pm |
|
No, but i figured out another way.
Encrypt login cookie with IP address. If IP doesn't match cookie can't be decrypted and login fails.
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 12 / 2.2.15 / 5.1.47 / 5.3.3 / CVS |
|
| Back to top |
|
|
layingback
Joined: Apr 19, 2004
Posts: 953
|
Post subject: Re: Adobe Flash Design Flaw
Posted: Sat Nov 14, 2009 12:42 pm |
|
That seems brilliant! Like most great ideas, seems obvious - after you see it 
How big a change though?
I think that only stops a 3rd party domain messing with the webserver. Good to do. But user's Windoze system still vulnerable from the 3rd party site - but what's new? And it looks as if Abode Flash 10 prevents most of the latter by implementing an exact match domain name check.
Unfortunate no clear indication if Adobe's exact domain name match treats a sub-domain as a match or mismatch. If mismatch then I was thinking simply moving coppermine album, etc., to a sub-domain such as uploads.{your_domainname} would prevent that attack vector.
_________________
Pro_News: The complete module for Dragonfly - now available as version 3.3
layingback's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
2.6 - 3.6 / 1.3.42 - 2.2.12 / 5.0.92 - 5.1.37 - 5.1.54 / 4.4.49 - 5.2.17 - 5.3 / 9.2.1 |
|
| Back to top |
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
|
 |
User Info ![[x]](themes/dragonfly/images/minus.png "Show/hide content")  Welcome Anonymous
Last CVS commits
Languages
Community  Support for DragonflyCMS in a other languages:
• Deutsch
• Español
X-links
Preview theme
Each user can view the site with a different theme.
Themes marked with a * also change the forum look.
|
Forum FAQ
Search
Log in to check your private messages
Login
