Adobe is not willing to fix Flash security issues.
Posted: Mon Nov 23, 2009 4:28 am
There has been some talk on Devnet about file uploading security while ago. Despite of the common LFI and other file upload related issues, the fact that you are allowing arbitrary file uploads (and not serving them as "attachments") makes you vulnerable to "cross-domain" attacks.
Fundamentally, one should serve user uploaded files through an entirely different domain. However, this is not very simple approach to take, especially if you are just writing software for people to use (and not deciding how the software will be used). The simplest way to be somewhat secure, would be to serve the file contents with appropriate HTTP headers. However, Adobe Flash does something interesting. It does not obey the Content-Type. It does not care about file extension. It does not care about file contents and as long as it contains valid Flash code to run, it will be run. To make matters worse, if I embed the uploaded file (let's call it angel.jpg) into my website, and someone visits the page, the Flash will run in the context of the original website as well as in the context of my website. That's just horrible. I don't need to get the uploaded Flash files to run on your server, I just need to run it on my server.
Adobe Flash suffers from two types of serious problems:
- There's no way for you to serve files that contain valid Flash code to not run in Flash Player except for Content-Disposal header (which forces the browser to download the file or reject at once).
- A Flash program in a.com embedded on b.com will run in the context of both sites.
Adobe has said their opinions on this at loud: http://blogs.adobe.com/asset/2009/11/fl ... e-ori.html
Their answer simplified: we are not going to fix the problems, because we think developers should fix the problems.
Sure, we could buy an additional domain for user uploaded files, but how's that really going to happen in this world where developers are barely able to fix XSS and SQLi vulnerabilities alone? And as for the same origin policy, there's nothing developers can do about it.
They are just stating that if you allow users to upload content on your site, you must be trusting the content, otherwise, you can't upload it there. I can understand their thoughts on this, but it's like saying blog comments must be placed on an entirely different domain, because you can't trust them. They are missing the point. We can filter our blog comments, and they can obey Content-Types. If they would, we could serve uploaded photos as photos, regardless of whether they actually render on the browser as a picture or as a red cross.
Sun did the right thing - Java has been obeying Content-Types ever since the version 6. I have no idea about SilverLight, I hope Microsoft is following Sun.
Fundamentally, one should serve user uploaded files through an entirely different domain. However, this is not very simple approach to take, especially if you are just writing software for people to use (and not deciding how the software will be used). The simplest way to be somewhat secure, would be to serve the file contents with appropriate HTTP headers. However, Adobe Flash does something interesting. It does not obey the Content-Type. It does not care about file extension. It does not care about file contents and as long as it contains valid Flash code to run, it will be run. To make matters worse, if I embed the uploaded file (let's call it angel.jpg) into my website, and someone visits the page, the Flash will run in the context of the original website as well as in the context of my website. That's just horrible. I don't need to get the uploaded Flash files to run on your server, I just need to run it on my server.
Adobe Flash suffers from two types of serious problems:
- There's no way for you to serve files that contain valid Flash code to not run in Flash Player except for Content-Disposal header (which forces the browser to download the file or reject at once).
- A Flash program in a.com embedded on b.com will run in the context of both sites.
Adobe has said their opinions on this at loud: http://blogs.adobe.com/asset/2009/11/fl ... e-ori.html
Their answer simplified: we are not going to fix the problems, because we think developers should fix the problems.
Sure, we could buy an additional domain for user uploaded files, but how's that really going to happen in this world where developers are barely able to fix XSS and SQLi vulnerabilities alone? And as for the same origin policy, there's nothing developers can do about it.
They are just stating that if you allow users to upload content on your site, you must be trusting the content, otherwise, you can't upload it there. I can understand their thoughts on this, but it's like saying blog comments must be placed on an entirely different domain, because you can't trust them. They are missing the point. We can filter our blog comments, and they can obey Content-Types. If they would, we could serve uploaded photos as photos, regardless of whether they actually render on the browser as a picture or as a red cross.
Sun did the right thing - Java has been obeying Content-Types ever since the version 6. I have no idea about SilverLight, I hope Microsoft is following Sun.