[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re[2]: [Gnash-dev] Building in security
From: |
Udo Giacomozzi |
Subject: |
Re[2]: [Gnash-dev] Building in security |
Date: |
Wed, 2 May 2007 14:58:58 +0200 |
Hello strk,
Wednesday, May 2, 2007, 2:01:30 PM, you wrote:
s> It seems all of those expoits are exploiting their security model.
s> By NOT implementing crossdomain.xml (or disabling whenever we'll implement)
s> we'll be the kind of all exploits for that.
s> In my opitnion the model is just bogus itself, so wouldn't go too deep
s> in trying to make it secure when it's security concept is just wrong.
The two links on the Wiki page talk about bugs in implementing the
security model (it's not the fault of the security model when some
software does not do sanity checks).
I see some security problems involved with URLs belonging to a LAN,
like reconfiguring a local router using HTTP. However, this is not
strictly a problem of the Flash security model since one can do HTTP
GET and POST requests to a Intranet URL using JavaScript or HTTP/HTML
as well (as long the response does not need to be parsed). I guess
doing port scans can be done in plain JavaScript as well.
Some mention that (for AJAX servers) the API should not be on the same
domain with the UI:
http://blog.monstuff.com/archives/000302.html
However, I don't really see why this would make any difference. As long as
scripts can cause the Browser to load a particular URL there will
always be a security risk. Assuming crossdomain.xml allows all
domains.
Udo
- Re[2]: [Gnash-dev] Building in security, Udo Giacomozzi, 2007/05/02
- Message not available
- Re[2]: [Gnash-dev] Building in security, Martin Guy, 2007/05/02
- Re: [Gnash-dev] Building in security, strk, 2007/05/02
- Re: [Gnash-dev] Building in security, Martin Guy, 2007/05/02
- Re: [Gnash-dev] Building in security, strk, 2007/05/02
- Re: [Gnash-dev] Building in security, Martin Guy, 2007/05/02
- Re: [Gnash-dev] Building in security, strk, 2007/05/02
- Re[2]: [Gnash-dev] Building in security,
Udo Giacomozzi <=
[Gnash-dev] Re: Building in security, Eric Hughes, 2007/05/02
Re: [Gnash-dev] Re: Building in security, Martin Guy, 2007/05/02
[Gnash-dev] Whitelists and Blacklists, Eric Hughes, 2007/05/02