homepage Welcome to WebmasterWorld Guest from 54.226.0.225
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Flash and Shockwave
Forum Library, Charter, Moderator: open

Flash and Shockwave Forum

    
Web Developers, Fix your Insecure Flash
encyclo




msg:3614701
 1:52 pm on Mar 30, 2008 (gmt 0)

[securityfocus.com...]
Warnings about the insecurity of online Flash multimedia created with all but the most recent authoring tools have largely fallen upon deaf ears (...) Web site owners continue to host older files created by older authoring programs that are vulnerable to cross-site scripting (XSS) attacks, Rich Cannings, information security engineer of search giant Google, told security professionals attending the conference on Wednesday.

The researchers from Google found that, despite the fact that the vulnerabilites were published in December 2007, none of the websites checked had updated their Flash files created with the vulnerable software.

Adobe plans to release a new version of its Flash Player in early April that will prevent attackers from exploiting the issues and, likely, break much of the Flash content on Web sites that are unprepared for the changeover. The makers of major authoring tools have also closed the security holes in the Flash files created by their tools.

The details of the research can be found here:

XSS Vulnerabilities in Common Shockwave Flash Files [docs.google.com]

Adobe's advice for republishing your SWF files can be found here:
Update to Dreamweaver and Contribute to address potential cross-site scripting vulnerabilities [adobe.com]

Is your Flash making your site vulnerable?

 

tedster




msg:3614813
 5:04 pm on Mar 30, 2008 (gmt 0)

Google Code offers a download of SWF Intruder, an application for testing the security of Flash files:

[code.google.com...]

I've got a whole pile of insecure Flash generated with older versions of Camtasia - what a PITA. Thanks for bringing up this issue, encyclo!

RonPK




msg:3614944
 10:18 pm on Mar 30, 2008 (gmt 0)

Please note that the list of authoring tools does not include Flash. From the Google Docs document:

Critical vulnerabilities exist in a large number of widely used web authoring tools that automatically generate Shockwave Flash (SWF) files, such as Adobe (r) Dreamweaver (r), Abobe Contribute (r), Adobe Acrobat (r) Connect (tm) (formerly Macromedia Breeze), InfoSoft FusionCharts, and Techsmith Camtasia. The flaws render websites that host these generated SWF files vulnerable to Cross-Site Scripting (XSS).

This problem is not limited to authoring tools. [beep], a popular service provider, used a vulnerable controller SWF in many of their projects.

It seems that if you used Flash to create your .swf files, you're safe.

dreamcatcher




msg:3615649
 8:32 pm on Mar 31, 2008 (gmt 0)

Yes, thanks guys. SWF Intruder = very useful.

dc

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Flash and Shockwave
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved