Yes, it's possible. I hope the original poster notified MM before posting it in his blog.
We'll need a patch for flash gateway to fix. However, it's not a huge security problem for most installations--it's only an issue when you're hosting internal web services that are secured only by the firewall and in order to exploit the exploiter must have a lot of info about your internal network. Sam > -----Original Message----- > From: Chris Kief [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 15, 2003 8:18 PM > To: CF-Talk > Subject: Security issue with Flash Remoting and web service > > > I was wondering if this was possible... > > http://www.flash-remoting.com/notablog/home.cfm?newsid=14 > > snip... > The Flash Remoting code calling a Web service will work from > anywhere. If you have the SWF file on your desktop, it will > work. If you have it on another server somewhere, it will > work. And. . .here's where the security problem is. . . .if > someone else uses YOUR Flash Remoting gateway to call a Web > service, it will work also. That means that I can use someone > else's gateway in my Flash movie, and call a remote web > service, and the processing will be done by the gateway--Web > service stub files will be created and the service will be > proxied through the gateway, in effect hijacking the gateway > of another server. > > chris > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
