[WEB SECURITY] CSRF: Flash + 307 redirect = Game Over

Michal Zalewski lcamtuf at coredump.cx
Thu Feb 10 16:00:25 EST 2011


> Michal - I agree Flash should fix this. What's their justification for not
> doing so?

I do not have first-hand knowledge. I believe the problem may trace
back to the fact that the legacy API they use for the MSIE plugin does
not permit them to intercept and inspect HTTP redirects easily. Moving
to another API, such as WinInet, would perhaps help, but is
complicated.

FWIW, the first mention of this problem I know of dates back to March
2010. I believe multiple parties reached out to Adobe since then,
although I am not at liberty to discuss this in more detail.

/mz




More information about the websecurity mailing list