Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Re: [WEB SECURITY] CSRF: Flash + 307 redirect = Game Over

MZ
Michal Zalewski
Thu, Feb 10, 2011 9:00 PM

Michal - I agree Flash should fix this. What's their justification for not
doing so?

I do not have first-hand knowledge. I believe the problem may trace
back to the fact that the legacy API they use for the MSIE plugin does
not permit them to intercept and inspect HTTP redirects easily. Moving
to another API, such as WinInet, would perhaps help, but is
complicated.

FWIW, the first mention of this problem I know of dates back to March
2010. I believe multiple parties reached out to Adobe since then,
although I am not at liberty to discuss this in more detail.

/mz

> Michal - I agree Flash should fix this. What's their justification for not > doing so? I do not have first-hand knowledge. I believe the problem may trace back to the fact that the legacy API they use for the MSIE plugin does not permit them to intercept and inspect HTTP redirects easily. Moving to another API, such as WinInet, would perhaps help, but is complicated. FWIW, the first mention of this problem I know of dates back to March 2010. I believe multiple parties reached out to Adobe since then, although I am not at liberty to discuss this in more detail. /mz
Empathy v1.0   2024 ©Harmonylists.com