You guys misunderstood what I was talking about. Here is the landscape:
Server 1: (www.foo.com) Owned by me and I have a crossdomain.xml which allows access to *.foo.com. This server is NOT compromised and nobody is modifying any files. Server 2: (www.evil.com) Owned by malicious user. A Flash file is loaded on this server. The flash file makes calls to www.foo.com which under normal circumstances would NOT be allowed to access data on my server because of the crossdomain only allowing access from *.foo.com. Workstate 1: Owned by malicious user. The user makes a local host entry for evil.foo.com which points to the same IP as www.evil.com. the malicious flash file is loaded under the evil.foo.com host header which then gives it access to my server at www.foo.com. As you can see, no computers are compromised, yet the crossdomain.xml model fails under VERY simple circumstances. Basically what I am getting at is that crossdomain.xml really provides very little security at any layer. --- In flexcoders@yahoogroups.com, "Abdul Qabiz" <[EMAIL PROTECTED]> wrote: > > > If that same evil person can get to your hosts file, that's the fault of > the OS and not Flash. > > Yup! Machine is already compromised and that guy can do lots of other things > :) > > -abdul > > On 10/27/07, Alex Harui <[EMAIL PROTECTED]> wrote: > > > > That's right. The goal of crossdomain.xml is to limit what an evil > > person can do in a SWF served over the web so that the unsuspecting Web > > citizen isn't burned. It does not block access to the contents from someone > > who has the desire to see the content on their machine. If that same evil > > person can get to your hosts file, that's the fault of the OS and not Flash. > > > > > > ------------------------------ > > > > *From:* flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] *On > > Behalf Of *Abdul Qabiz > > *Sent:* Friday, October 26, 2007 1:40 PM > > *To:* flexcoders@yahoogroups.com > > *Subject:* Re: [flexcoders] crossdomain.xml... real or not-so-real > > security? > > > > > > > > Isn't it like running a standalone SWF which can access network and local > > data (provided u have right trust config)? Why to run a internal server and > > create host entry? SWF in AIR/Standalone can access data from foo.com. > > > > Can you put (give an example) this use-case in context of internet > > (public)? > > > > -abdul > > > > On 10/26/07, *geoffreymina* < [EMAIL PROTECTED]> wrote: > > > > Say there is a site which has a crossdomain.xml defined: > > > > http://www.foo.com/crossdomain.xml > > > > with > > > > <allow-access-from domain="*.foo.com"/> > > > > If I were to load an SWF file on my internal webserver and create a > > local host file which contained an entry for fake.foo.com could I then > > load the SWF file from fake.foo.com and access data on www.foo.com? > > > > If this is the case, then it seems to me that crossdomain.xml is really > > just something to make people feel warm and fuzzy... and not at all a > > real security measure. > > > > Thanks, > > Geoff > > > > > > > > > > -- > > -abdul > > --------------------------------------- > > http://abdulqabiz.com/blog/ > > --------------------------------------- > > > > > > > > > > -- > -abdul > --------------------------------------- > http://abdulqabiz.com/blog/ > --------------------------------------- >
