Login | Register

July 05th 2002 | Jens C Brynildsen

0 comments

 

Related stories

ClickJacking - the new privacy game

Flash exploit served by Microsoft

flXHR and flensed tools

Successful Flash exploit in the wild

New Flash Player patching security hole

MM: No security bug exists

Flash Scripting Security Issue

Macromedia has released a Security bulletin about a Cross Server Scripting Security Issue with their Flash player

The problem comes from the SWF contents ability to execute JavaScript commands, and affect every web site which allows users to include/upload SWF content on their own.

A typical abuse of this security fault would be for a malicious user to include a seemingly innocent SWF signature that at the same time would be able to transfer data such as cookies from every single user viewing the page with the included SWF.

Macromedia has announced that there will be a new Flash 6 player made available in July that will address the security issue with a new EMBED/PARAM parameter, the parameter will allow web sites to turn off any outbound scripting (ActionScript getURL() actions that specify a scripting statement) when displaying SWF content
Flash Cross Server Scripting Security Bulletin

 

Rate this article
 

 

Comments

No comments for this page.

Submit a comment

Only registered members can comment. Click the link at the top of this page to register.