I only had a chance to look at your first email message, but wanted to
mention something. In the legals branch, I modified the XML data
loading to use the XML flash object sometimes instead of LoadVars, so
it could post raw data. This is for the special case of "lzpostbody"
query param, which is supposed to turn into a raw data post of the
specified content to the server.
I don't know if this would have any effect on the crossdomain issue
you're having ,but who knows, it might behave differently than
LoadVars.
if (proxied) {
lvar.sendAndLoad(reqstr , loadobj, "POST" );
} else {
// SOLO load
if (dopost) {
//Debug.write("POST", reqstr);
var lzpostbody = loadobj.rawpostbody
if (lzpostbody != null) {
var xmlraw = new XML();
var tnode = xmlraw.createTextNode(lzpostbody);
xmlraw.appendChild(tnode);
xmlraw.sendAndLoad(reqstr, loadobj);
} else {
lvar.sendAndLoad(reqstr , loadobj, "POST" );
}
} else {
//Debug.write("GET", reqstr);
lvar.sendAndLoad(reqstr , loadobj, "GET" );
}
}
I'll take a closer look at your bug report later when I actually wake
up and get this kids to school.
On 9/27/06, Don Hopkins <[EMAIL PROTECTED]> wrote:
>
> This guy had a similar problem with XMLSocket working in Firefox but not
> IE, but no answers:
>
> http://www.actionscript.org/forums/showthread.php3?t=83791
>
> The one difference I can find between my server (which works) and youtube
> (which doesn't) is that youtube returns the document compressed, and mine
> doesn't.
> I tried modifying the Accept-Encoding headers with the XML object's
> addRequestHeader method, but that had absolutely no effect on any of the
> headers I tried to modify.
>
> So is Flash's addRequestHeaders supposed to work or not?
> Here's an advisory about a security bug related to addRequestHeaders in
> Flash. Did Macromedia fix the bug by disabling it in Flash 9?
>
> http://secunia.com/advisories/20971/
>
>
> 2) A design error exists in the implementation of the "addRequestHeader()"
> method. This can be exploited to overwrite arbitrary HTTP headers in an
> outgoing HTTP request to an arbitrary web site via the "LoadVars" class and
> the "send()" method.
>
> Successful exploitation allows e.g. a malicious web site to execute
> arbitrary HTML and script code in a user's browser session in context of an
> arbitrary site by overwriting the "Host" header, but requires that the site
> has the same IP as the malicious web site but another virtual host.
>
> The vulnerability has been confirmed in version 8.0.22.0. Other versions
> may also be affected.
>
> Solution:
> Upgrade to version 9.0.16.0 or another fixed version (see the vendor
> advisory for details).
> http://www.adobe.com/support/security/bulletins/apsb06-11.html
>
>
>
>
> Multiple input validation errors have been identified in Flash Player
> 8.0.24.0 and earlier versions that could lead to the potential execution of
> arbitrary code. These vulnerabilities could be accessed through content
> delivered from a remote location via the user's web browser, email client,
> or other applications that include or reference the Flash Player.
> (CVE-2006-3311, CVE-2006-3587, CVE-2006-3588)
>
> These updates include changes to prevent circumvention of the
> "allowScriptAccess" option. (CVE-2006-4640)
>
> These updates also include changes to the way the Flash Player 7 and Flash
> Player 8 ActiveX control behaves when invoked by Microsoft Office products
> on the Windows platform. These changes are similar to ones introduced in
> Flash Player 9. (CVE-2006-3014)
>
> Flash Player 8 update (8.0.33.0), and Flash Player 7 update (7.0.66.0 or
> 7.0.68.0) address security vulnerabilities in previous versions of Flash
> Player. Updated versions of Flash Player 7 for Linux and Solaris, which
> contain fixes for these vulnerabilities, are also available from the Adobe
> Player Download Center.
>
>
>
> Here's a handy tutorial on "Forging HTTP Request Headers in Flash":
>
> http://www.securityfocus.com/archive/1/441014/30/0/threaded
>
> It mentions:
>
>
> Flash 9
> =======
>
> Flash 9 was announced June 28th, 2006 [9] (i.e. less than a month
> ago). In Flash 9, the techniques described above (for the
> LoadVars class) do not work for any browser-provided header (e.g.
> User-Agent, Host and Referer), nor probably for many "protected"
> headers such as Content-Length. Still, headers like Expect can be
> sent, so some attacks (e.g. Example 1 above) are still effective
> with Flash 9.
> So maybe addRequestHeader stopped working between Flash 8 and Flash 9, but
> the documentation doesn't mention anything about it.
>
> -Don
>
>
>
> _______________________________________________
> Laszlo-dev mailing list
> [email protected]
> http://www.openlaszlo.org/mailman/listinfo/laszlo-dev
>
>
>
--
Henry Minsky
Software Architect
[EMAIL PROTECTED]
_______________________________________________
Laszlo-dev mailing list
[email protected]
http://www.openlaszlo.org/mailman/listinfo/laszlo-dev
