Page 1 of 1
Allow uploads of .swf files by users on a site
Posted: Mon Dec 07, 2009 9:27 am
by matthijs
On a website I manage, with a few hundred users, one of the users wants to be able to upload and embed a .swf file. It's a wordpress blog. So far they are allowed to upload only normal images, .flv video's and pdf's.
However, since I'm not sure about .swf I wondered how I can figure out if it's a wise idea to allow him to upload and embed that kind of file. The users are not anonymous users but members of the institute. However, I still want to be very careful.
Any ideas?
[edit:]after posting this I saw the other thread about Flash security. There's probably more info there
viewtopic.php?f=34&t=109319
Re: Allow uploads of .swf files by users on a site
Posted: Tue Dec 08, 2009 12:22 pm
by Sephern
Flash isn't secure, because users can embed Actionscript into it, and when people visit that page, the actionscript will run (along with the flash).
Unless you can trust your users (members of the institute or whatever) not to try and upload malicious actionscript, I wouldn't let them upload SWF's. Generally its a bad idea security wise.
Re: Allow uploads of .swf files by users on a site
Posted: Tue Dec 08, 2009 12:29 pm
by matthijs
Thanks for your reply. The users are people who work at the institution. So they probably can be trusted. However, my main concern would be, in case one of their accounts is compromised, the hacker can much easier upload a malicious script if the /swf files are allowed to be uploaded.
And what about .flv files?
Re: Allow uploads of .swf files by users on a site
Posted: Sat Dec 12, 2009 2:56 pm
by kaisellgren
Flv files are harmless, but you should serve those SWF files via another domain.
Re: Allow uploads of .swf files by users on a site
Posted: Sun Dec 13, 2009 7:02 am
by matthijs
Thanks. I'll not allow .swf file uploads.
I wonder: is there any way other then with the Adobe software, to see what is in a .swf file and what it is doing?
Re: Allow uploads of .swf files by users on a site
Posted: Sun Dec 13, 2009 7:42 am
by kaisellgren
matthijs wrote:I wonder: is there any way other then with the Adobe software, to see what is in a .swf file and what it is doing?
You need to decompile the SWF file and then analyze/parse the output. It would be rather complex.