[cfaussie] Re: Flash sites being hacked
writing to the client machine or the server? 2009/4/2 Steve Onnis > Does anyone know of any vulnerabilities or security issues with flash > player that would enable someone to write files to a file system through the > flash player? > > I have a few sites that keep getting hacked and they are all flash based > websites. > > Regards > Steve Onnis > > > > -- AJ Mercer Web Log: http://webonix.net --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~--~~~~--~~--~--~---
[cfaussie] Re: Flash sites being hacked
Have a look at this. http://www.hp.com/go/swfscan Cheers Gareth. On 2/4/09 12:54 PM, Steve Onnis wrote: Does anyone know of any vulnerabilities or security issues with flash player that would enable someone to write files to a file system through the flash player? I have a few sites that keep getting hacked and they are all flash based websites. Regards Steve Onnis --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~--~~~~--~~--~--~---
[cfaussie] Re: Flash sites being hacked
1. Define "Flash based websites" - HTML with a SWF? Or any server-side technology involved etc? 2. Define "Hacked" - what's being done? Cheers Kai > writing to the client machine or the server? > > > 2009/4/2 Steve Onnis > Does anyone know of any vulnerabilities or security issues with > flash player that would enable someone to write files to a file > system through the flash player? > > I have a few sites that keep getting hacked and they are all flash > based websites. > > Regards > Steve Onnis > > > > > > -- > AJ Mercer > Web Log: http://webonix.net > > > _ Kai Koenig - Ventego Creative Ltd ph: +64 4 476 6781 - mob: +64 21 928 365 / +61 450 132 117 web: http://www.ventego-creative.co.nz blog: http://www.bloginblack.de --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~--~~~~--~~--~--~---
[cfaussie] Re: Flash sites being hacked
yeah an SWF and a page embedding it, wether it be HTML or CFM They are loading up default.htm/html, index.htm/html and so on pages just say this site has been hacked yadda yadda _ From: cfaussie@googlegroups.com [mailto:cfaus...@googlegroups.com] On Behalf Of Kai Koenig Sent: Thursday, 2 April 2009 2:04 PM To: cfaussie@googlegroups.com Subject: [cfaussie] Re: Flash sites being hacked 1. Define "Flash based websites" - HTML with a SWF? Or any server-side technology involved etc? 2. Define "Hacked" - what's being done? Cheers Kai writing to the client machine or the server? 2009/4/2 Steve Onnis Does anyone know of any vulnerabilities or security issues with flash player that would enable someone to write files to a file system through the flash player? I have a few sites that keep getting hacked and they are all flash based websites. Regards Steve Onnis -- AJ Mercer Web Log: http://webonix.net _ Kai Koenig - Ventego Creative Ltd ph: +64 4 476 6781 - mob: +64 21 928 365 / +61 450 132 117 web: http://www.ventego-creative.co.nz blog: http://www.bloginblack.de --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~--~~~~--~~--~--~---
[cfaussie] Re: Flash sites being hacked
to the server _ From: cfaussie@googlegroups.com [mailto:cfaus...@googlegroups.com] On Behalf Of AJ Mercer Sent: Thursday, 2 April 2009 1:58 PM To: cfaussie@googlegroups.com Subject: [cfaussie] Re: Flash sites being hacked writing to the client machine or the server? 2009/4/2 Steve Onnis Does anyone know of any vulnerabilities or security issues with flash player that would enable someone to write files to a file system through the flash player? I have a few sites that keep getting hacked and they are all flash based websites. Regards Steve Onnis -- AJ Mercer Web Log: http://webonix.net --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~--~~~~--~~--~--~---
[cfaussie] Re: Flash sites being hacked
then this HP sales guy rings you up from the third world and proffers hp services :) On Thu, Apr 2, 2009 at 2:08 PM, Steve Onnis wrote: > to the server > > From: cfaussie@googlegroups.com [mailto:cfaus...@googlegroups.com] On Behalf > Of AJ Mercer > Sent: Thursday, 2 April 2009 1:58 PM > To: cfaussie@googlegroups.com > Subject: [cfaussie] Re: Flash sites being hacked > > writing to the client machine or the server? > > > 2009/4/2 Steve Onnis >> >> Does anyone know of any vulnerabilities or security issues with flash >> player that would enable someone to write files to a file system through the >> flash player? >> >> I have a few sites that keep getting hacked and they are all flash based >> websites. >> >> Regards >> Steve Onnis >> > > > > -- > AJ Mercer > Web Log: http://webonix.net > > > -- Zac Spitzer - http://zacster.blogspot.com +61 405 847 168 --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~--~~~~--~~--~--~---
[cfaussie] Re: Flash sites being hacked
You can get the download with giving them a faked email address :) > > then this HP sales guy rings you up from the third world and proffers > hp services :) > > On Thu, Apr 2, 2009 at 2:08 PM, Steve Onnis > wrote: >> to the server >> >> From: cfaussie@googlegroups.com [mailto:cfaus...@googlegroups.com] >> On Behalf >> Of AJ Mercer >> Sent: Thursday, 2 April 2009 1:58 PM >> To: cfaussie@googlegroups.com >> Subject: [cfaussie] Re: Flash sites being hacked >> >> writing to the client machine or the server? >> >> >> 2009/4/2 Steve Onnis >>> >>> Does anyone know of any vulnerabilities or security issues with >>> flash >>> player that would enable someone to write files to a file system >>> through the >>> flash player? >>> >>> I have a few sites that keep getting hacked and they are all flash >>> based >>> websites. >>> >>> Regards >>> Steve Onnis >>> >> >> >> >> -- >> AJ Mercer >> Web Log: http://webonix.net >>> >> > > > > -- > Zac Spitzer - > http://zacster.blogspot.com > +61 405 847 168 > > > _ Kai Koenig - Ventego Creative Ltd ph: +64 4 476 6781 - mob: +64 21 928 365 / +61 450 132 117 web: http://www.ventego-creative.co.nz blog: http://www.bloginblack.de --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~--~~~~--~~--~--~---
[cfaussie] Re: Flash sites being hacked
> yeah an SWF and a page embedding it, wether it be HTML or CFM > > They are loading up default.htm/html, index.htm/html and so on pages > just say this site has been hacked yadda yadda > Not sure what the last part means? What says this site has been hacked? Sorry, if you want help you'd need to specify a bit more detailled what's happening. Kai --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~--~~~~--~~--~--~---
[cfaussie] Re: Flash sites being hacked
instead of the actual site being loaded, there is a replacement page with junk in there saying that site has been hacked. they are not getting in via ftp or any other way and i am sus about it being only flah sites that it is happening to _ From: cfaussie@googlegroups.com [mailto:cfaus...@googlegroups.com] On Behalf Of Kai Koenig Sent: Thursday, 2 April 2009 2:40 PM To: cfaussie@googlegroups.com Subject: [cfaussie] Re: Flash sites being hacked yeah an SWF and a page embedding it, wether it be HTML or CFM They are loading up default.htm/html, index.htm/html and so on pages just say this site has been hacked yadda yadda Not sure what the last part means? What says this site has been hacked? Sorry, if you want help you'd need to specify a bit more detailled what's happening. Kai --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~--~~~~--~~--~--~---
[cfaussie] Re: Flash sites being hacked
I suppose the Web Servers logs wouldn't help and cross reference the files dates to activity on the logs? I suspect it isn't a Flash problem, and if the site use flash or flex or air to upload to the web server with no authentication it is possible that there is a hole in the services that are behind the site. At a guess, but there are way too many scenarios here that could be a cause. But I am confident that the logs and cross referencing them with the file dates, maybe help you out here. From: cfaussie@googlegroups.com [mailto:cfaus...@googlegroups.com] On Behalf Of Steve Onnis Sent: Thursday, 2 April 2009 2:49 PM To: cfaussie@googlegroups.com Subject: [cfaussie] Re: Flash sites being hacked instead of the actual site being loaded, there is a replacement page with junk in there saying that site has been hacked. they are not getting in via ftp or any other way and i am sus about it being only flah sites that it is happening to --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~--~~~~--~~--~--~---
[cfaussie] Re: Flash sites being hacked
> > instead of the actual site being loaded, there is a replacement page with > junk in there saying that site has been hacked. they are not getting in via > ftp or any other way and i am sus about it being only flah sites that it is > happening to The way I understand what you have said, the index or default site page is being physically replaced by some other page containing hacked content - is that right, or is it that redirect being put in place ? What kind of flash page(s) do you have there ? - are they just movies or do they have a form with bunch of actionscript talking to some web services on your site ? - do they have forms submittal functionality ? File upload perhaps ? Do they have AS code in them that might require elevated privilege perhaps, but makes use of an upload capability. You do know that just about anyone can dissect your SWF files and look directing at the AS code ? (There are many and various SWF reverse engineering tools out there). The various flash pages you mention - do they have anything in common ? Like the man said - have you looked at the web server logs ? What web server is it anyway - iiS ? Apache ? - is it a windows server or a linux server ? Have you looked at the web server configuration(s) - have you accidentally opened up directory scanning or some other permission that is allowing your hacker to get into your site ? Does the flash application have a backend web service ? If so what does it consist of (CF ?). What kind of things is that backend WS programmed to do ? Does it expose a public method that can write back files to the server perhaps ? Does the backend WS insist upon security validation for every request made to it or is it using session vars on the server to hold security validation state ? OR Does the flash file store some security validation token that might be hackable perhaps ? Or in other words are you trusting the flash modules delivered by your site perhaps a little too much ? Cheers, Bryn --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~--~~~~--~~--~--~---