Cenzic 232 Patent
Paid Advertising
web application security lab

New Holes Using Flash Cross Domain Policy

Okay, it’s be a tough day for new holes. This one affects nearly as many sites as the last IE hole, if you can believe that. Stefan Esser today released an issue with Flash where cross domain policy files can be embedded in almost anything. This isn’t the kind of thing you like to hear. Typically these sorts of things are dealt with by XML readers and not just looking for where the XML begins and ends. As a result this could be a pretty big deal.

Any website that lets you host images, or lets you do redirection (thanks to the Internet Exprlorer mhtml issue) or has a blacklist of HTML tags is now vulnerable to complete cross domain access via Flash. That’s really bad, folks. Although Stefan says that response splitting and XSS aren’t issues since you have XSS access, this isn’t completely true. I’ve seen a few situations where I could inject information but it wouldn’t render as HTML. Things set as text/plain are now vulnerable too. Like I said, this is not a small problem, and it will affect many many websites out there that are otherwise free from compromise.

3 Responses to “New Holes Using Flash Cross Domain Policy”

  1. ron999 Says:

    I know you are a big fan of Flash vulnerabilities, did you see this one ?:
    http://marc.theaimsgroup.com/?l=full-disclosure&m=116111694621076&w=2

  2. RSnake Says:

    Hey, ron999, actually I did… I wasn’t sure if this was really additional information from the original flash vulnerability or not. Do you know what the deltas are between this report and the original one are?

  3. ron999 Says:

    Well this vuln affects all recent Flash versions (7, 8, 9) and allows for exploitation in IE as well as Firefox, while the other previously disclosed vulns don’t affect Flash 9 and are somewhat harder to exploit in Firefox. It is also interesting that this vuln makes it possible for attackers to do http request splitting attacks (when Firefox is used). AFAIK, this is a first.

    Adobe has published an advisory about it, btw:
    http://www.adobe.com/support/security/advisories/apsa06-01.html