Flash content - Postet den (1642 Views)
Etymon
Advanced Member
Etymon
Innlegg: 2396
2396
Is it possible for anyone to embed malicious code into a flash file or a movie?<
   
 Sidestørrelse 
Postet den
HuwR
Forum Admin
HuwR
Innlegg: 20611
20611
in a word yes<
Postet den
Etymon
Advanced Member
Etymon
Innlegg: 2396
2396
Figures. sad
So, allowing people to post those kinds of links and/or allowing people to upload those kind of files is skeptical if not dangerous. If the file is being uploaded to the server, is there anyway to check the file for these kinds of things?<
Sist redigert av
Postet den
HuwR
Forum Admin
HuwR
Innlegg: 20611
20611
I think there is stuff you can do, but not entirely sure as I don't use flash.<
Postet den
Etymon
Advanced Member
Etymon
Innlegg: 2396
2396
I don't use it either. My son works with it a little. I was not sure if I should allow flash uploads (or flash links [like with the video MOD]). Thanks Huw!<
Postet den
MarcelG
Retired Support Moderator
MarcelG
Innlegg: 2625
2625
Etymon, indeed people who want to do harm can use malformed flashfiles to do harm. However, if you use the video mod that supports only those flashvideo providers who "prove" to be ok, there's not much that can go wrong. (My videomod only supports the big ones such as Youtube and Dailymotion). If you support SWF files, via my other mod (the [flash][/flash] tags), you indeed may be subject to hackers embedding malicious SWF's. But, then again, if you enable images you are also enabling them to do the same, except for the fact that the number of image-exploits is far more limited. The simplest exploit is this one if I'm not mistaking : embed a 10000x10000 pure white PNG (filesize is almost nothing) and the browser crashes as it tries to render it....<
portfolio - linkshrinker - oxle - twitter
Postet den
Etymon
Advanced Member
Etymon
Innlegg: 2396
2396
Thanks for the help on that Marcel! Hmmm. So, I should not allow flash type uploads, but, instead, let the member(s) use another service for that? Just for the sake of conversation since others are reading this too ... which mod is which that is safe and possibly unsafe?<
Postet den
Podge
Support Moderator
Podge
Innlegg: 3776
3776
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=60387<
Podge. The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)
My Mods: CAPTCHA Mod | GateKeeper Mod Tutorial: Enable subscriptions on your board
Warning: The post above or below may contain nuts.
Postet den
MarcelG
Retired Support Moderator
MarcelG
Innlegg: 2625
2625
Etymon ; there's a difference between allowing flash-file uploads and allowing flash-embedding in your topics ; with the first one one can only post a link to a .swf file, with the second one, one can embed the object, making it load (and run) automatically when a visitor views a topic. That last one has the biggest security concern, as it loads without the visitor having to acknowledgee it prior on loading.<
portfolio - linkshrinker - oxle - twitter
Postet den
HuwR
Forum Admin
HuwR
Innlegg: 20611
20611
it is not just image exploits, flash files can embed javascript which then runs on the client, it is that which poses the biggest security risk<
Postet den
Etymon
Advanced Member
Etymon
Innlegg: 2396
2396
Oh boy. Hmmm.
So, if I allow members to upload images "but" I have some type of resizing going on during the upload process, then will that work around a lot of the image sizing exploits?<
 
Du må legge inn en melding