作为未来RIA的主角FLASH,在安全方面做得越来越出色了。
在AS3中我惊奇地发现啊adobe居然把Referer伪造给禁止了!!!
ArgumentError: Error #2096: HTTP 请求标头 Referer 不能通过 ActionScript 设置。
at flash.display::Loader/flash.display:Loader::_load()
at flash.display::Loader/load()
at Timeline0_e150d995f3cf54ba89046e1dff0add1/::frame1()
干得不错!!!
--------------------------------------------------------------------------------
Rapid7, LLC Security Advisory
Visit http://www.rapid7.com/ to download NeXpose,
SC Magazine Winner of Best Vulnerability Management product.
_______________________________________________________________________
Rapid7 Advisory R7-0026
HTTP Header Injection Vulnerabilities in the Flash Player Plugin
Published: Oct 17, 2006
Revision: 1.0
http://www.rapid7.com/advisories/R7-0026.jsp
1. Affected System(s):
KNOWN VULNERABLE:
o Flash Player plugin 9.0.16 (for Windows)
o Flash Player plugin 7.0.63 (for Linux)
PROBABLY VULNERABLE:
o Earlier 9.0.x and 7.0.x versions
o 8.0.x versions
KNOWN FIXED:
o Flash Player plugin BETA version 9.0.18d60 (for Windows)
2. Summary
Two HTTP Header Injection vulnerabilities have been discovered by Rapid7
in the Flash Player plugin. They allow attackers to perform arbitrary
HTTP requests while controlling most of the HTTP headers. This can make
it easier to perform CSRF attacks [2] in some cases. When the HTTP
server implements Keep-Alive connections and when Firefox is used, these
Flash vulnerabilities can even be used to perform totally arbitrary HTTP
requests where every part is controlled by the attacker: HTTP method,
URI, HTTP version, headers, and data. Such attacks make use of the HTTP
Request Splitting method.
3. Vendor Status and Information
Adobe Systems, Inc.
http://www.adobe.com
Sep 18, 2006
Adobe acknowledges reception of the vulnerability details.
Sep 29, 2006
Adobe responds with proposed dates for a fix later this year.
Oct 5, 2006
Adobe releases a fixed BETA version of Flash 9 for Windows (version
9.0.18d60, release files are named beta_100406).
Oct 17, 2006
Advisory is published after expiration of the 30-day grace period
granted to Adobe to fix and disclose the vulnerabilities.
4. Solution
Used the fixed BETA version (9.0.18d60). Only allow trusted websites to
use Flash. Disable or uninstall the Flash plugin. Use alternative Flash
plugins (GplFlash, Gnash).
5. Detailed Analysis
The vulnerabilities described hereafter have been successfully tested
with the latest versions of Flash available for various platforms as of
2006/09/06, and with multiple combinations of browser/OS:
o IE6 SP2 (aka IE6 SV1) for Windows, with Flash plugin 9.0.16
o Firefox 1.5.0.6 for Windows, with Flash plugin 9.0.16
o Firefox 1.5.0.6 for Linux, with Flash plugin 7.0.63
5.1. XML.addRequestHeader() Vulnerability
Flash features a scripting language called ActionScript. ActionScript
comes with a certain number of standard classes available to Flash
developers. In particular, the send() method of the XML object can be
used to send XML document trees to arbitrary URLs using, by default, a
POST request. This, in itself, is not a vulnerability; the XML.send()
method definitely complies with the Flash security model [4].
However another method defined in the XML class, addRequestHeader(), can
be used to add arbitrary HTTP headers to the request peфЙЙQ@a50l�ЙQ@輽 |
|
转播
