Forgot your password?
typodupeerror

Comment: Re:Client or server? (Score 1) 355

by theTerribleRobbo (#30085328) Attached to: Flash Vulnerability Found, Adobe Says No Fix Forthcoming

Wait. One of us must be missing something.
For the purposes of the below, I'm excluding the JIFAR-alike vulnerability where a SWF looks like a valid JPEG; this is just regarding the renamed-SWF mentioned in the article:

To be sure, any server that allows unvalidated uploads of contents will let an attacker upload html pages with cross-site scripting or other attacks, but SWF files do not require a .swf extension or special content-type headers to execute.

Say we have two sites, one that the user is logged into (facenovel.com), and the attacker's site (mal.com).
An attacker uploads a malicious SWF (containing a javascript call that steals the cookie or what have you), except uploads it as nasty.jpg to facenovel.com to get around simple file-extension filtering.

  • Accessing the file directly (facenovel.com/uploads/nasty.jpg) doesn't run it as a flash movie, it just gets interpreted as a stuffed JPEG.
  • As per the above, I instead have an HTML page hosted on mal.com that embeds facenovel.com/uploads/nasty.jpg and forces a content-type of "application-x-shockwave-flash".
    The javascript does not run; it does not have permission to access anything.

I can't think of a case where a simple rename presents a vulnerability (without the previously-mentioned JIFAR-like hackery).
Help please. :S
 

Comment: Re:Client or server? (Score 2, Interesting) 355

by theTerribleRobbo (#30081826) Attached to: Flash Vulnerability Found, Adobe Says No Fix Forthcoming

So, user uploads a file - say, a picture for a forum avatar. Your image validation misses that malicious_flash.jpg is really a SWF file, and now you're executing flash all over the place "in the context of your domain." Which I guess means any SWF file I manage to upload anywhere can eat the hosting webserver.

Also, from the article:

To be sure, any server that allows unvalidated uploads of contents will let an attacker upload html pages with cross-site scripting or other attacks, but SWF files do not require a .swf extension or special content-type headers to execute.

This is what I don't get: I understand that if a JPG is also a SWF (as per GIFAR and other manglements), it'll fool the browser into loading the content as flash.

Simply chucking a SWF on a server, renaming it to foobar.jpg, and visiting it at http://example/foobar.jpg doesn't load it as flash. Unless I'm really missing something here, I don't see how you can get the JPG to run as flash without also mucking around with content-type headers.

Can someone enlighten me, please? :-)

Comment: Re:Hyperbole much (Score 3, Insightful) 406

by theTerribleRobbo (#29818455) Attached to: Sequoia Voting Systems Source Code Released

From the site:

UPDATE 10/20/09 5:45pm Pacific Time: It appears the files were NOT VANDALIZED and will open in MS-SQL Server 2005. It also appears they did redact "code" to some degree. I'm still not clear on why there are thousands of lines of source code still left in there. I'm working on scoring a copy of SQL Server 2005 ASAP so I can look for myself. Check the discussion areas to follow along in realtime.

Interesting.

Our business in life is not to succeed but to continue to fail in high spirits. -- Robert Louis Stevenson

Working...