Both server and workstation are owned by evil guy...As said earlier, a determined person doesn't even need a server, most of things (data-access) is doable from local SWF...
I am missing something, let me try to understand your point. What you mean by " which then gives it access to my server at www.foo.com." ? Are you concerned about data (xml, rss, server-side scripts etc) access? Are you concerned about XSS (Cross Site Scripting - like reading cookies etc)? -abdul On 10/30/07, geoffreymina <[EMAIL PROTECTED]> wrote: > > You guys misunderstood what I was talking about. Here is the > landscape: > > Server 1: (www.foo.com) Owned by me and I have a crossdomain.xml > which allows access to *.foo.com. This server is NOT compromised and > nobody is modifying any files. > > Server 2: (www.evil.com) Owned by malicious user. A Flash file is > loaded on this server. The flash file makes calls to www.foo.com > which under normal circumstances would NOT be allowed to access data > on my server because of the crossdomain only allowing access from > *.foo.com. > > Workstate 1: Owned by malicious user. The user makes a local host > entry for evil.foo.com which points to the same IP as www.evil.com. > the malicious flash file is loaded under the evil.foo.com host header > which then gives it access to my server at www.foo.com. > > As you can see, no computers are compromised, yet the crossdomain.xml > model fails under VERY simple circumstances. > > Basically what I am getting at is that crossdomain.xml really > provides very little security at any layer. > > --- In [email protected] <flexcoders%40yahoogroups.com>, "Abdul > Qabiz" <[EMAIL PROTECTED]> > wrote: > > > > > If that same evil person can get to your hosts file, that's the > fault of > > the OS and not Flash. > > > > Yup! Machine is already compromised and that guy can do lots of > other things > > :) > > > > -abdul > > > > On 10/27/07, Alex Harui <[EMAIL PROTECTED]> wrote: > > > > > > That's right. The goal of crossdomain.xml is to limit what an > evil > > > person can do in a SWF served over the web so that the > unsuspecting Web > > > citizen isn't burned. It does not block access to the contents > from someone > > > who has the desire to see the content on their machine. If that > same evil > > > person can get to your hosts file, that's the fault of the OS and > not Flash. > > > > > > > > > ------------------------------ > > > > > > *From:* [email protected] <flexcoders%40yahoogroups.com> > [mailto:[email protected] <flexcoders%40yahoogroups.com>] *On > > > Behalf Of *Abdul Qabiz > > > *Sent:* Friday, October 26, 2007 1:40 PM > > > *To:* [email protected] <flexcoders%40yahoogroups.com> > > > *Subject:* Re: [flexcoders] crossdomain.xml... real or not-so-real > > > security? > > > > > > > > > > > > Isn't it like running a standalone SWF which can access network > and local > > > data (provided u have right trust config)? Why to run a internal > server and > > > create host entry? SWF in AIR/Standalone can access data from > foo.com. > > > > > > Can you put (give an example) this use-case in context of internet > > > (public)? > > > > > > -abdul > > > > > > On 10/26/07, *geoffreymina* < [EMAIL PROTECTED]> wrote: > > > > > > Say there is a site which has a crossdomain.xml defined: > > > > > > http://www.foo.com/crossdomain.xml > > > > > > with > > > > > > <allow-access-from domain="*.foo.com"/> > > > > > > If I were to load an SWF file on my internal webserver and create > a > > > local host file which contained an entry for fake.foo.com could I > then > > > load the SWF file from fake.foo.com and access data on > www.foo.com? > > > > > > If this is the case, then it seems to me that crossdomain.xml is > really > > > just something to make people feel warm and fuzzy... and not at > all a > > > real security measure. > > > > > > Thanks, > > > Geoff > > > > > > > > > > > > > > > -- > > > -abdul > > > --------------------------------------- > > > http://abdulqabiz.com/blog/ > > > --------------------------------------- > > > > > > > > > > > > > > > > > -- > > -abdul > > --------------------------------------- > > http://abdulqabiz.com/blog/ > > --------------------------------------- > > > > > -- -abdul --------------------------------------- http://abdulqabiz.com/blog/ ---------------------------------------
