Quote:
Originally posted by Smokey The Bear
A good solution would be to actually parse the flash animation and filter malicious parameters in getURL(). This addresses the case when a Web application allows SWF files to be uploaded to the server. Webmasters are highly encouraged to parse and filter Flash content if they allow users to upload. Webmasters may choose to block any Flash content which contains getURL() actions that do not specifically point towards an HTTP site. Another solution would be to change all getURL() actions to point to a new window. This can be achieved by specifying the target window as ?_blank?. By making the described changes, hahahahahahahahahaha URLs will not execute under the hosting domain?s privileges. This solution is not consistent due to the fact that ActionScript is a complex scripting language and provides the eval() function. This function allows more sophisticated hackers to even bypass protection against parsing of ActionScript.
|
You're awesome and thanks for looking out for us! I appreciate your information and hope the right person hears it to fix these issues.
