Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Community Forums
 Community Discussions (All other subjects)
 Flash content
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Etymon
Advanced Member

United States
2385 Posts

Posted - 12 October 2008 :  00:08:11  Show Profile  Visit Etymon's Homepage  Reply with Quote
Is it possible for anyone to embed malicious code into a flash file or a movie?<

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 12 October 2008 :  03:51:25  Show Profile  Visit HuwR's Homepage  Reply with Quote
in a word yes<
Go to Top of Page

Etymon
Advanced Member

United States
2385 Posts

Posted - 12 October 2008 :  10:51:23  Show Profile  Visit Etymon's Homepage  Reply with Quote
Figures.

So, allowing people to post those kinds of links and/or allowing people to upload those kind of files is skeptical if not dangerous. If the file is being uploaded to the server, is there anyway to check the file for these kinds of things?<

Edited by - Etymon on 12 October 2008 11:38:25
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 12 October 2008 :  12:42:29  Show Profile  Visit HuwR's Homepage  Reply with Quote
I think there is stuff you can do, but not entirely sure as I don't use flash.<
Go to Top of Page

Etymon
Advanced Member

United States
2385 Posts

Posted - 12 October 2008 :  14:11:39  Show Profile  Visit Etymon's Homepage  Reply with Quote
I don't use it either. My son works with it a little. I was not sure if I should allow flash uploads (or flash links [like with the video MOD]). Thanks Huw!<
Go to Top of Page

MarcelG
Retired Support Moderator

Netherlands
2625 Posts

Posted - 13 October 2008 :  05:01:59  Show Profile  Visit MarcelG's Homepage  Reply with Quote
Etymon, indeed people who want to do harm can use malformed flashfiles to do harm.
However, if you use the video mod that supports only those flashvideo providers who "prove" to be ok, there's not much that can go wrong. (My videomod only supports the big ones such as Youtube and Dailymotion).
If you support SWF files, via my other mod (the [flash][/flash] tags), you indeed may be subject to hackers embedding malicious SWF's.
But, then again, if you enable images you are also enabling them to do the same, except for the fact that the number of image-exploits is far more limited. The simplest exploit is this one if I'm not mistaking : embed a 10000x10000 pure white PNG (filesize is almost nothing) and the browser crashes as it tries to render it....<

portfolio - linkshrinker - oxle - twitter
Go to Top of Page

Etymon
Advanced Member

United States
2385 Posts

Posted - 13 October 2008 :  08:40:20  Show Profile  Visit Etymon's Homepage  Reply with Quote
Thanks for the help on that Marcel! Hmmm. So, I should not allow flash type uploads, but, instead, let the member(s) use another service for that? Just for the sake of conversation since others are reading this too ... which mod is which that is safe and possibly unsafe?<
Go to Top of Page

Podge
Support Moderator

Ireland
3775 Posts

Posted - 13 October 2008 :  09:43:57  Show Profile  Send Podge an ICQ Message  Send Podge a Yahoo! Message  Reply with Quote
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=60387<

Podge.

The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)

My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board

Warning: The post above or below may contain nuts.
Go to Top of Page

MarcelG
Retired Support Moderator

Netherlands
2625 Posts

Posted - 13 October 2008 :  09:47:28  Show Profile  Visit MarcelG's Homepage  Reply with Quote
Etymon ; there's a difference between allowing flash-file uploads and allowing flash-embedding in your topics ; with the first one one can only post a link to a .swf file, with the second one, one can embed the object, making it load (and run) automatically when a visitor views a topic.
That last one has the biggest security concern, as it loads without the visitor having to acknowledgee it prior on loading.<

portfolio - linkshrinker - oxle - twitter
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 13 October 2008 :  10:40:23  Show Profile  Visit HuwR's Homepage  Reply with Quote
it is not just image exploits, flash files can embed javascript which then runs on the client, it is that which poses the biggest security risk<
Go to Top of Page

Etymon
Advanced Member

United States
2385 Posts

Posted - 13 October 2008 :  16:18:53  Show Profile  Visit Etymon's Homepage  Reply with Quote
Oh boy. Hmmm.

So, if I allow members to upload images "but" I have some type of resizing going on during the upload process, then will that work around a lot of the image sizing exploits?<
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.12 seconds. Powered By: Snitz Forums 2000 Version 3.4.07