Mobile app version of vmapp.org
Login or Join
Annie201

: Crossdomain.xml file - is it bad? I have crossdomain.xml in document root of my site with the following contents: <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-po

@Annie201

Posted in: #Domains #Flash #GoogleAdsense

I have crossdomain.xml in document root of my site with the following contents:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.doubleclick.net" />
</cross-domain-policy>


This is because I want adsense advertisers using rich-media ads to see my website content in order to load correct ads.

I then check my site on detectify.com and gave me this warning about the file:


Wildcard crossdomain.xml Policy

What does this mean?

The crossdomain.xml policy file allows SWF files hosted at subdomains to interact with the domain.

What can happen?

If the attacker are able to upload a SWF at any of the subdomains or otherwise get control however a subdomain the attacker can bypass CSRF-protections at the domain and depending on the application read sensitive data.


My question is what should I really do?

Will hackers do some serious damage even though my website does not contain shockwave flash files (except for those advertisers put in the ad units)? If so, then I should remove it. But if my income drastically reduces as a result from the ad not being properly served due to a missing crossdomain.xml file, then I feel I need the file in place.

What should I do here?

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Annie201

1 Comments

Sorted by latest first Latest Oldest Best

 

@Heady270

It means that somebody could more easily create a malicious ad. Allowing cross-domain ads allows any flash content on the allowed website (ads) to submit any form on your site or read any data from the current logged in user. Depending on your site this could facilitate:


Theft of user data
Unauthorized use of administrator functionality
Automated spam signups
Samy Myspace worm-like viruses that spread on your site between users
Forged (or spam) content created for a user without that user knowing it.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme