security

As reported on the 5th of June 2002 in a paper from Eyes On Security (Bypassing JavaScript Filters – the Flash! Attack), Flash SWF content can allow malicious users of web sites that allow users to upload or include SWF content to get access to information (cookies etc) that they aren’t supposed to have access to. Today Macromedia has released a security tech note about the issue: Macromedia: MPSB02-08 – Macromedia Flash Player Cross Server Scripting Security Issue It describes the problem in detail, and most interestingly offers a solution […]

Eyes on security has released a warning about Cross-site scripting attacks made possible on sites that allow uploadable files – Bypassing JavaScript Filters – the Flash way Basically, if you have a forum or pages where you allow users to upload files, the user will still be able to execute JavaScript through the SWF file, even if posting of JavaScript is disabled in the forum/on the pages. Allowing JavaScript execution allows malicious users to catch other users cookies from the domain the file is placed. The solution? Not allowing SWF

Via Flazoom: ActiveX flaw exposes Flash users to hacks ZDNet writes about a buffer overflow vulnerability in the previous version of the Flash 6 player (revision 23), the overflow allows for attacks via some HTML e-mail clients and when visiting malicious web sites. The problem only exist for Internet Explorer on the Windows platform. If you haven’t already, its a good idea to update to the latest version of the Flash 6 player – the update fixes the overflow vulnerability, and also fixes some other serious bugs in the Flash