Allow uploads of .swf files by users on a site

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Allow uploads of .swf files by users on a site

Post by matthijs »

On a website I manage, with a few hundred users, one of the users wants to be able to upload and embed a .swf file. It's a wordpress blog. So far they are allowed to upload only normal images, .flv video's and pdf's.

However, since I'm not sure about .swf I wondered how I can figure out if it's a wise idea to allow him to upload and embed that kind of file. The users are not anonymous users but members of the institute. However, I still want to be very careful.

Any ideas?

[edit:]after posting this I saw the other thread about Flash security. There's probably more info there
viewtopic.php?f=34&t=109319
Sephern
Forum Commoner
Posts: 73
Joined: Sun Jan 04, 2009 4:44 pm

Re: Allow uploads of .swf files by users on a site

Post by Sephern »

Flash isn't secure, because users can embed Actionscript into it, and when people visit that page, the actionscript will run (along with the flash).

Unless you can trust your users (members of the institute or whatever) not to try and upload malicious actionscript, I wouldn't let them upload SWF's. Generally its a bad idea security wise.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Allow uploads of .swf files by users on a site

Post by matthijs »

Thanks for your reply. The users are people who work at the institution. So they probably can be trusted. However, my main concern would be, in case one of their accounts is compromised, the hacker can much easier upload a malicious script if the /swf files are allowed to be uploaded.

And what about .flv files?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Allow uploads of .swf files by users on a site

Post by kaisellgren »

Flv files are harmless, but you should serve those SWF files via another domain.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Allow uploads of .swf files by users on a site

Post by matthijs »

Thanks. I'll not allow .swf file uploads.

I wonder: is there any way other then with the Adobe software, to see what is in a .swf file and what it is doing?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Allow uploads of .swf files by users on a site

Post by kaisellgren »

matthijs wrote:I wonder: is there any way other then with the Adobe software, to see what is in a .swf file and what it is doing?
You need to decompile the SWF file and then analyze/parse the output. It would be rather complex.
Post Reply