March 8, 2010 - 21:15 EST - Tags: rfi flash xss phishing spam
A lot of flash and flex applications use an XML-file for configuration. The XML-file sets up which texts and images to show. However if we don't pay attention, this flash application can be abused for phishing or spam, because the attacker can specify which file to use in the flash - a client-side RFI (Remote File Inclusion
). Luckily this is not as dangerous as server-side RFI, but it's still something you want to avoid.Disclaimer
Now before I continue, I'd like to point that I don't write this in order to make fun of the developer of the apps in question. I write this for educational purposes only. Example of the problem
Consider this real slideshow application. This application takes an XML file on the format:
<image url='someimage.jpg' duration='2' />
<image url='someimage2.jpg' duration='2' />
This configuration file can be loaded via the parameter xml_source
<EMBED src="slideshow.swf?xml_source=sample.xml" quality="high" bgcolor="#000000" WIDTH="320"
HEIGHT="240" NAME="slideshow" allowScriptAccess="sameDomain" swLiveConnect="true"
An attacker can abuse this functionality by crafting a url like this:
<image url="/slideshow/images/plant0.jpg" />
To fix this problem you need to check the url of the config file before you include it. Typically you would check that the url is relative (starts with a "/") or is pointing to a host that you trust.