Flash Cross-domain Policy

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains. Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression. Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain that publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application that allows access. Any domains that are allowed by the Flash cross-domain policy should be reviewed to determine whether it is appropriate for the application to fully trust both their intentions and security posture.

Issue remediation

Any inappropriate entries in the Flash cross-domain policy file should be removed.

Vulnerability classifications

Sample

<?xml version="1.0" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <site-control permitted-cross-domain-policies="all" />
    <allow-http-request-headers-from domain="*" headers="*" />
    <allow-access-from domain="*.starbucks.com" />
    <allow-access-from domain="*.starbucks.net" />
    <allow-access-from domain="*.starbucks.co.uk" />
    <allow-access-from domain="*.brightcove.com" secure="false"/>
    <allow-access-from domain="*.plymedia.com" secure="false"/>
    <allow-access-from domain="*.subply.com" secure="false"/>
    <allow-access-from domain="*.sbweb.prod" />
    <allow-access-from domain="localhost" />
    <allow-access-from domain="*.tazo.com" />
</cross-domain-policy>

results matching ""

    No results matching ""