Hello strk, Wednesday, May 2, 2007, 2:01:30 PM, you wrote: s> It seems all of those expoits are exploiting their security model. s> By NOT implementing crossdomain.xml (or disabling whenever we'll implement) s> we'll be the kind of all exploits for that.
s> In my opitnion the model is just bogus itself, so wouldn't go too deep s> in trying to make it secure when it's security concept is just wrong. The two links on the Wiki page talk about bugs in implementing the security model (it's not the fault of the security model when some software does not do sanity checks). I see some security problems involved with URLs belonging to a LAN, like reconfiguring a local router using HTTP. However, this is not strictly a problem of the Flash security model since one can do HTTP GET and POST requests to a Intranet URL using JavaScript or HTTP/HTML as well (as long the response does not need to be parsed). I guess doing port scans can be done in plain JavaScript as well. Some mention that (for AJAX servers) the API should not be on the same domain with the UI: http://blog.monstuff.com/archives/000302.html However, I don't really see why this would make any difference. As long as scripts can cause the Browser to load a particular URL there will always be a security risk. Assuming crossdomain.xml allows all domains. Udo _______________________________________________ Gnash-dev mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnash-dev
