[WEB SECURITY] Poking new holes with Flash cross domain policy files

Amit Klein aksecurity at gmail.com
Thu Oct 19 16:57:07 EDT 2006


Stefan Esser wrote:
> Hi,
>
> I released a mini article today that covers the danger that arises for
> web applications because of the design flaws in the cross domain policy
> verification of the Flash player.
>
> You can read it here:
> http://www.hardened-php.net/library/poking_new_holes_with_flash_crossdomain_policy_files.html
>
>   
BTW, regarding the Policy File Location, I suppose many of the tricks in 
"Path Insecurity" 
(http://www.webappsec.org/lists/websecurity/archive/2006-03/msg00000.html) 
can come in handy, ridding the attacker of the need to have an open 
redirector.

I'm talking about things like:

* The URL encoding trick (works with most web servers)
http://dom.ext/upl%2fXdomain.xml 
<http://www.some.site/bar/%2e%2e/foo/collect.cgi>

* Backslashes (works in many Windows-based servers, particularly IIS)
<http://www.some.site/bar/baz%5C..%5C../foo/collect.cgi>http://dom.ext/upl\Xdomain.xml

* %uHHHH (IIS specific extension)
http://dom.ext/upl%u002fXdomain.xml

* Overlong UTF-8 encoding of a dot (may work with some servers, works 
with old IIS)
http://dom.ext/upl%c0%afXdomain.xml
<http://www.some.site/bar/%c0%ae%c0%ae/foo/collect.cgi>
* Double-encoded dot (may work with some servers, works with old IIS) 
<http://www.some.site/bar/%252e%252e/foo/collect.cgi>
http://dom.ext/upl%252fXdomain.xml

I didn't test them, but my guess is that some will work.

It seems that this boils down to path (in)security...

-Amit

PS - note my new email address: same mailbox, different provider (gmail).

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list