My concern in regards to the crossdomain.xml came about when I realized that the security in the CFMX7 environment as it relates to the Flex2Gateway isn't very tight (or I am missing something). I have another thread rolling along in which I am trying to determine why my CF server is allowing "public" methods to be accessed via the Flex2Gateway when the /CfusionMX7/wwwroot/WEB-INF/flex/services- config.xml specifically states that only "remote" access is allowed.
I started trying to figure out what other options I had to ensure that only my SWF had access to my CFC files. I naturally looked into the Flash runtime security model, but it appears that this isn't really what I am looking for either. thanks, Geoff --- In [email protected], "Abdul Qabiz" <[EMAIL PROTECTED]> wrote: > > Both server and workstation are owned by evil guy...As said earlier, a > determined person doesn't even need a server, most of things (data- access) > is doable from local SWF... > > I am missing something, let me try to understand your point. What you mean > by " which then gives it access to my server at www.foo.com." ? Are you > concerned about data (xml, rss, server-side scripts etc) access? Are you > concerned about XSS (Cross Site Scripting - like reading cookies etc)? > > -abdul > > > > On 10/30/07, geoffreymina <[EMAIL PROTECTED]> wrote: > > > > You guys misunderstood what I was talking about. Here is the > > landscape: > > > > Server 1: (www.foo.com) Owned by me and I have a crossdomain.xml > > which allows access to *.foo.com. This server is NOT compromised and > > nobody is modifying any files. > > > > Server 2: (www.evil.com) Owned by malicious user. A Flash file is > > loaded on this server. The flash file makes calls to www.foo.com > > which under normal circumstances would NOT be allowed to access data > > on my server because of the crossdomain only allowing access from > > *.foo.com. > > > > Workstate 1: Owned by malicious user. The user makes a local host > > entry for evil.foo.com which points to the same IP as www.evil.com. > > the malicious flash file is loaded under the evil.foo.com host header > > which then gives it access to my server at www.foo.com. > > > > As you can see, no computers are compromised, yet the crossdomain.xml > > model fails under VERY simple circumstances. > > > > Basically what I am getting at is that crossdomain.xml really > > provides very little security at any layer. > > > > --- In [email protected] <flexcoders% 40yahoogroups.com>, "Abdul > > Qabiz" <abdul.qabiz@> > > wrote: > > > > > > > If that same evil person can get to your hosts file, that's the > > fault of > > > the OS and not Flash. > > > > > > Yup! Machine is already compromised and that guy can do lots of > > other things > > > :) > > > > > > -abdul > > > > > > On 10/27/07, Alex Harui <aharui@> wrote: > > > > > > > > That's right. The goal of crossdomain.xml is to limit what an > > evil > > > > person can do in a SWF served over the web so that the > > unsuspecting Web > > > > citizen isn't burned. It does not block access to the contents > > from someone > > > > who has the desire to see the content on their machine. If that > > same evil > > > > person can get to your hosts file, that's the fault of the OS and > > not Flash. > > > > > > > > > > > > ------------------------------ > > > > > > > > *From:* [email protected] <flexcoders% 40yahoogroups.com> > > [mailto:[email protected] <flexcoders% 40yahoogroups.com>] *On > > > > Behalf Of *Abdul Qabiz > > > > *Sent:* Friday, October 26, 2007 1:40 PM > > > > *To:* [email protected] <flexcoders% 40yahoogroups.com> > > > > *Subject:* Re: [flexcoders] crossdomain.xml... real or not-so- real > > > > security? > > > > > > > > > > > > > > > > Isn't it like running a standalone SWF which can access network > > and local > > > > data (provided u have right trust config)? Why to run a internal > > server and > > > > create host entry? SWF in AIR/Standalone can access data from > > foo.com. > > > > > > > > Can you put (give an example) this use-case in context of internet > > > > (public)? > > > > > > > > -abdul > > > > > > > > On 10/26/07, *geoffreymina* < geoffreymina@> wrote: > > > > > > > > Say there is a site which has a crossdomain.xml defined: > > > > > > > > http://www.foo.com/crossdomain.xml > > > > > > > > with > > > > > > > > <allow-access-from domain="*.foo.com"/> > > > > > > > > If I were to load an SWF file on my internal webserver and create > > a > > > > local host file which contained an entry for fake.foo.com could I > > then > > > > load the SWF file from fake.foo.com and access data on > > www.foo.com? > > > > > > > > If this is the case, then it seems to me that crossdomain.xml is > > really > > > > just something to make people feel warm and fuzzy... and not at > > all a > > > > real security measure. > > > > > > > > Thanks, > > > > Geoff > > > > > > > > > > > > > > > > > > > > -- > > > > -abdul > > > > --------------------------------------- > > > > http://abdulqabiz.com/blog/ > > > > --------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > -- > > > -abdul > > > --------------------------------------- > > > http://abdulqabiz.com/blog/ > > > --------------------------------------- > > > > > > > > > > > > > -- > -abdul > --------------------------------------- > http://abdulqabiz.com/blog/ > --------------------------------------- >
