[osflash] crossdomain security holes

[Claus Wahlers]

> Sorry for the dumb questions, haven't had a chance to read that 
> crossdomain article in detail yet. How exactly does it pose a security 
> risk, in my understanding any server side code can do what what Flash 
> does without any sandbox restrictions or am I wrong?
> 
> I've always assumed crossdomain policy files aren't an impenetrable 
> fortress but does it open any additional security risks over any other 
> technologies?

As far as i understood, there are two potential vulnerabilities:

- Redirects: often sites use some redirect mechanism to load 3rd party 
links (to be able to count the outgoing hits i guess). They say you can 
exploit that in a way that you use those redirect scripts to redirect 
the crossdomain.xml request to a different location.

- GIF masquerade: They say Flash Player doesn't check for wellformedness 
of the crossdomain.xml so if you add some junk (or, a GIF header) at the 
beginning of the policy file it's still valid for the Flash Player (if a 
site then offers uploading of images, you could upload your fake GIF and 
have a crossdomain.xml on the otherwise secure site).

I tried the GIF hack but it didn't work in Flash Player 9.

Cheers,
Claus.

-- 
claus wahlers
côdeazur brasil
http://codeazur.com.br