On a website I manage, with a few hundred users, one of the users wants to be able to upload and embed a .swf file. It's a wordpress blog. So far they are allowed to upload only normal images, .flv video's and pdf's.
However, since I'm not sure about .swf I wondered how I can figure out if it's a wise idea to allow him to upload and embed that kind of file. The users are not anonymous users but members of the institute. However, I still want to be very careful.
Any ideas?
[edit:]after posting this I saw the other thread about Flash security. There's probably more info there
viewtopic.php?f=34&t=109319
Allow uploads of .swf files by users on a site
Moderator: General Moderators
Re: Allow uploads of .swf files by users on a site
Flash isn't secure, because users can embed Actionscript into it, and when people visit that page, the actionscript will run (along with the flash).
Unless you can trust your users (members of the institute or whatever) not to try and upload malicious actionscript, I wouldn't let them upload SWF's. Generally its a bad idea security wise.
Unless you can trust your users (members of the institute or whatever) not to try and upload malicious actionscript, I wouldn't let them upload SWF's. Generally its a bad idea security wise.
Re: Allow uploads of .swf files by users on a site
Thanks for your reply. The users are people who work at the institution. So they probably can be trusted. However, my main concern would be, in case one of their accounts is compromised, the hacker can much easier upload a malicious script if the /swf files are allowed to be uploaded.
And what about .flv files?
And what about .flv files?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Allow uploads of .swf files by users on a site
Flv files are harmless, but you should serve those SWF files via another domain.
Re: Allow uploads of .swf files by users on a site
Thanks. I'll not allow .swf file uploads.
I wonder: is there any way other then with the Adobe software, to see what is in a .swf file and what it is doing?
I wonder: is there any way other then with the Adobe software, to see what is in a .swf file and what it is doing?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Allow uploads of .swf files by users on a site
You need to decompile the SWF file and then analyze/parse the output. It would be rather complex.matthijs wrote:I wonder: is there any way other then with the Adobe software, to see what is in a .swf file and what it is doing?