gnash-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: [Gnash-dev] Building in security

From: Udo Giacomozzi
Subject: Re[2]: [Gnash-dev] Building in security
Date: Wed, 2 May 2007 14:58:58 +0200 
Hello strk,

Wednesday, May 2, 2007, 2:01:30 PM, you wrote:
s> It seems all of those expoits are exploiting their security model.
s> By NOT implementing crossdomain.xml (or disabling whenever we'll implement)
s> we'll be the kind of all exploits for that.

s> In my opitnion the model is just bogus itself, so wouldn't go too deep
s> in trying to make it secure when it's security concept is just wrong.

The two links on the Wiki page talk about bugs in implementing the
security model (it's not the fault of the security model when some
software does not do sanity checks).

I see some security problems involved with URLs belonging to a LAN,
like reconfiguring a local router using HTTP. However, this is not
strictly a problem of the Flash security model since one can do HTTP
GET and POST requests to a Intranet URL using JavaScript or HTTP/HTML
as well (as long the response does not need to be parsed). I guess
doing port scans can be done in plain JavaScript as well.

Some mention that (for AJAX servers) the API should not be on the same
domain with the UI:
http://blog.monstuff.com/archives/000302.html

However, I don't really see why this would make any difference. As long as
scripts can cause the Browser to load a particular URL there will
always be a security risk. Assuming crossdomain.xml allows all
domains.

Udo
reply via email to
[Prev in Thread] Current Thread [Next in Thread]