: Are there any security considerations if users are allowed to upload flash files Lets say I have a website where users are allowed to upload files which will be displayed publicly as a portfolio
Lets say I have a website where users are allowed to upload files which will be displayed publicly as a portfolio gallery. For example, users might upload screenshots of a website they designed, or a MS Word document of some PR example text, or a PDF of their CV, etc.
Some files will be blacklisted for security reasons, e.g. .zip files, .exe files and .php files.
What about flash files? Is there any security concerns if I was going to host .swf files and automatically play them?
<?php
if ($extension == 'swf') {
echo '<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,19,0" width="640" height="430">
<param name="movie" value="/'.$urlToFLV.'" />
<param name="quality" value="high" />
<param name="wmode" value="transparent">
<embed wmode="transparent" src="/'.$urlToFLV.'" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="400" height="430"></embed>
</object>';
}
?>
I guess the flash code is executed in the users browser, so if there was a security issue, it would be on their machines, not our server?
More posts by @Rivera981
3 Comments
Sorted by latest first Latest Oldest Best
I do know flash and yes this is a terrible idea! This is what started all the trouble for myspace with self replicating virus worms. It's really simple, with flash I can get your browser to make all sorts of calls/connections/login to sites/post things as you/etc. It's amazing how much you can pull off a user with flash and report it back to any server/location on the web.
Do not let your users upload/post flash unless you plan to have them send you the .fla file and you're going to code review it and compile it yourself.
I'm not a Flash programmer, and I know that Flash has a weird way of handling cookies/sessions (I think it uses your IE sessions regardless of which browser the plugin is being run from), but you may still have some potential CSRF/XSS problems.
The problem I foresee is a user uploading a malicious Flash movie that can then be used to launch CSRF attacks when embedded from any domain. If the Flash movie gets embedded in a page in your domain, then an XSS attack can be launched.
And, although not related to uploading Flash files, you may also want to prevent users from uploading a crossdomain.xml file. This file is normally placed in your domain root, but it can also be used from arbitrary locations if you specify it in the flash movie.
And as Michael mentioned, malicious Flash movies can also be dangerous to user computers. I'm not sure if the latest version has any open remote code execution vulnerabilities, but Flash has a pretty poor record. I would be very careful about allowing users to upload Flash movies. You may want to look into some kind of AV scanner that can detect malicious Flash files.
I would say yes there are security considerations of allowing users to upload flash files.
The security issues may not be internal - by that I mean a threat to your server, but if your website is hosting flash files which can comprimise a users machine, or something equally nasty then your likely to experience problems building/maintaining a user-base or community.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.