Flash + JS + crossdomain.xml = phun
I was browsing Jeremiah Grossman's Blog and found an interesting post talking about a file named crossdomain.xml and extended uses of it in regards to cross site scripting. In a nutshell there's this file called crossdomain.xml used by flash to say 'I am www.domainb.com and I will allow users of www.domaina.com to make requests to me'. Unfortunately people are misconfiguring their crossdomain.xml file and allowing everybody.
Vulnerable Example:
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
Per the adobe specification
"Another change to the Flash Player 7 framework is the use of
cross-domain policy files. A policy file is a simple XML file that
gives the Flash Player permission to access data from a given domain
without displaying a security dialog. When placed on a server, it tells
the Flash Player to allow direct access to data on that server, without
prompting the user grant access.
The server can be in any location available to the Flash movie and does not have to be in the same domain. Cross-domain policy files, named crossdomain.xml, are placed at the root level of a server. When using a policy file you can use a wildcard character (*) in a domain name. For more information on policy files see Why Use Policy Files below."
I'm sure there are many other fun tidbits like this just awaiting to be discovered.
Article Link: http://jeremiahgrossman.blogspot.com/2006/10/crossdomainxml-statistics.html
Chris Shiflett: http://shiflett.org/archive/267
Crossdomain.xml Specification: http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_14213
Comments
You can follow this conversation by subscribing to the comment feed for this post.
All Comments are Moderated and will be delayed!
Post a comment