This guy had a similar problem with XMLSocket working in Firefox but
not IE, but no answers:
http://www.actionscript.org/forums/showthread.php3?t=83791
The one difference I can find between my server (which works) and
youtube (which doesn't) is that youtube returns the document
compressed, and mine doesn't.
I tried modifying the Accept-Encoding headers with the XML object's
addRequestHeader method, but that had absolutely no effect on any of
the headers I tried to modify.
So is Flash's addRequestHeaders supposed to work or not?
Here's an advisory about a security bug related to addRequestHeaders in
Flash. Did Macromedia fix the bug by disabling it in Flash 9?
http://secunia.com/advisories/20971/
2) A design error exists in the implementation of the
"addRequestHeader()" method. This can be exploited to overwrite
arbitrary HTTP headers in an outgoing HTTP request to an arbitrary web
site via the "LoadVars" class and the "send()" method.
Successful exploitation allows e.g. a malicious web site to execute
arbitrary HTML and script code in a user's browser session in context
of an arbitrary site by overwriting the "Host" header, but requires
that the site has the same IP as the malicious web site but another
virtual host.
The vulnerability has been confirmed in version 8.0.22.0. Other
versions may also be affected.
Solution:
Upgrade to version 9.0.16.0 or another fixed version (see the vendor
advisory for details).
http://www.adobe.com/support/security/bulletins/apsb06-11.html
Multiple input validation errors have been identified in Flash
Player 8.0.24.0 and earlier versions that could lead to the potential
execution of arbitrary code. These vulnerabilities could be accessed
through content delivered from a remote location via the user’s web
browser, email client, or other applications that include or reference
the Flash Player. (CVE-2006-3311, CVE-2006-3587, CVE-2006-3588)
These updates include changes to prevent circumvention of the
“allowScriptAccess” option. (CVE-2006-4640)
These
updates also include changes to the way the Flash Player 7 and Flash
Player 8 ActiveX control behaves when invoked by Microsoft Office
products on the Windows platform. These changes are similar to ones
introduced in Flash Player 9. (CVE-2006-3014)
Flash
Player 8 update (8.0.33.0), and Flash Player 7 update (7.0.66.0 or
7.0.68.0) address security vulnerabilities in previous versions of
Flash Player. Updated versions of Flash Player 7 for Linux and Solaris,
which contain fixes for these vulnerabilities, are also available from
the Adobe Player
Download Center.
Here's a handy tutorial on "Forging HTTP Request Headers in Flash":
http://www.securityfocus.com/archive/1/441014/30/0/threaded
It mentions:
Flash 9
=======
Flash 9 was announced June 28th, 2006 [9] (i.e. less than a month
ago). In Flash 9, the techniques described above (for the
LoadVars class) do not work for any browser-provided header (e.g.
User-Agent, Host and Referer), nor probably for many "protected"
headers such as Content-Length. Still, headers like Expect can be
sent, so some attacks (e.g. Example 1 above) are still effective
with Flash 9.
So maybe addRequestHeader stopped working between Flash 8 and Flash 9,
but the documentation doesn't mention anything about it.
-Don
|
_______________________________________________
Laszlo-dev mailing list
[email protected]
http://www.openlaszlo.org/mailman/listinfo/laszlo-dev
