Kuza55 and I have been trading emails over the last few days around a new technique he has been working on that he posted a few days ago regarding spoofing user agents. There are a lot of systems that use user agents to do operations. Typically that’s not a problem because the only person you can hurt is yourself. However, if you can force someone else to change their user agent, you can get them to exploit themselves.
So the problem is that Flash allows you to submit “User_Agent” instead of “User-Agent” and in some programming languages “User_Agent” gets changed to “HTTP_USER_AGENT” (in the case of PERL for instance). There are a number of vulnerable programming languages. The easiest fix would probably be for Flash to disallow injection of User_Agent and the other headers that may be used on the web in unsafe ways.
Very nice work by Kuza55. It took a while to get a demo that we could both use but click click here for an example of changing your user agent. I don’t allow the attack to render (for obvious reasons) but you can at least see the demo. Very nasty.