I loaded up flash. I put a button and put some AS
I run in my browser locally over file:///. *immediately* I get "adobe flash player has stopped a potentially unsafe operation"
I upload to a webserver and it works (expected because there is embedding and it is same domain).
However If I craft an .html to simulate the .swf *accidentally* being used as an img src, I get a broken link, no flaw.
So what again is exactly the problem? You don't have to try to hack Adobe.com to explain yourself in simple terms (I can test on my machine for you so you don't run the risk of being extradited for attempted hacking
Furthermore I found out the webmaster can not only safely allow users to upload jpegs, and swfs, he could even safely embed user uploaded .swf content if he sets an attribute on the embed tag 'allowScriptAccess','never'. If he does this SOP will NEVER apply, so basically your whole argument is hinged on the fact the webmaster sabotages his own site (which can happen with any web technology)Ok so I was able to replicate a vulnerability
".swfs that are not embedded in an .html page still activate the same origin policy" would be an accurate bug report, and then possibly followed by some sample code to test with like I provided.
Adobe's proposed workaround of serving the header in this case, would be undesirable because how that would affect legitimate jpg uploading is "undefined".
It should still be stated that any possible attack would still hinge on one of two
1) webmaster allowing .swf to be uploaded and hosted on same domain
2) the feasibility of generating a maliscous .swf that is both a valid swf and a valid jpg, and then the website reading it as a jpeg, accepting it, and then the browser reading it as a swf (opposite of what the server read it as) and loading it in flash player, and it would also hinge on the fact flash player will gracefully ignore the jpeg "bits"
#2 is doubtable, without another proof of concept. #1 falls within "Webmaster being dumb" in my opinion.
My hat goes off to you for being passionate, but it is important to be objective and reasonable. Its certainly not hard to imagine someone allowing .swf to be uploaded without worrying about this. Kind of unnerving if I do say so.
I just tested Mantis (which allows users to upload swf). Looks like it forces the proper header and all is good. Here is the .swf you can use to test with:
Looks like devnet is safe-ish as well. "The extension swf is not allowed."http://ne8.net/sop/Untitled-1.swf
Upon clicking the blue box the cookie will be alert'd, if SOP is activated. Download to your machine and upload to your favorite website to test. You said this should work on adobe.com? Can you make a screencast of that? That would be funny if it did. Irrefutable proof Adobe does not understand their own security model.