Sincere apologies for the triple posting - I sent the first on Saturday. Then when it hadn't appeared on Sunday, I doubted that I had posted correctly so I sent another. Then when neither had appeared on Monday, I began to think that my posts through the web interface weren't working so I tried an email posting. So on Tuesday (Australia time), four days later, all three posts arrived...
Cheers, Darren. --- In [email protected], "dazweeja" <[EMAIL PROTECTED]> wrote: > > I'd like to create a simple Flex application that can be distributed > to any (ie. untrusted) source that reads data from my web server using > AMFPHP. I understand that this requires a crossdomain.xml file. > > I'm trying to get my head around the security implications of open > (ie. allow all) crossdomain.xml files. Basically I understand that > issues arise when there is an open crossdomain.xml file on a domain > that uses cookie/session-based authentication as the SWF can > read/forge the cookie info that is sent in the HTTP header. This > allows cross-site forgeries and other unintended consequences. My main > concern is with server security though. What are the implications as > far as compromising the security of the server aside from cross-site > forgeries? The Adobe article linked below suggests that > crossdomain.xml files may allow access to other private severs on a > network which is obviously quite serious. > > If I understand correctly, a lot of the risk can be mitigated by > hosting the crossdomain.xml file on a separate sub-domain from the > domain with the user authentication mechanism. Is this as > straightforward as setting up an Apache virtual host for a sub-domain > which hosts a simple PHP script/gateway that forwards/returns requests > to the domain which contains the data source? > > How have others got around this problem? Can you provide me with a > brief explanation of your solution. > > Cheers, > Darren. > > If you don't understand what I mean by the security implications, > these refs might help: > > http://shiflett.org/blog/2006/sep/the-dangers-of-cross-domain-ajax-with-flash > http://renaun.com/blog/2006/12/13/167/ > http://www.hardened-php.net/library/poking_new_holes_with_flash_crossdomain_policy_files.html > http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html >
