Flash content - Posted (1638 Views)
Etymon
Advanced Member
Etymon
Posts: 2396
2396
Is it possible for anyone to embed malicious code into a flash file or a movie?<
 Sort direction, for dates DESC means newest first  
 Page size 
Posted
HuwR
Forum Admin
HuwR
Posts: 20611
20611
in a word yes<
Posted
Etymon
Advanced Member
Etymon
Posts: 2396
2396
Figures. sad
So, allowing people to post those kinds of links and/or allowing people to upload those kind of files is skeptical if not dangerous. If the file is being uploaded to the server, is there anyway to check the file for these kinds of things?<
Last edited by Etymon on 12 October 2008, 11:38
Posted
HuwR
Forum Admin
HuwR
Posts: 20611
20611
I think there is stuff you can do, but not entirely sure as I don't use flash.<
Posted
Etymon
Advanced Member
Etymon
Posts: 2396
2396
I don't use it either. My son works with it a little. I was not sure if I should allow flash uploads (or flash links [like with the video MOD]). Thanks Huw!<
Posted
MarcelG
Retired Support Moderator
MarcelG
Posts: 2625
2625
Etymon, indeed people who want to do harm can use malformed flashfiles to do harm. However, if you use the video mod that supports only those flashvideo providers who "prove" to be ok, there's not much that can go wrong. (My videomod only supports the big ones such as Youtube and Dailymotion). If you support SWF files, via my other mod (the [flash][/flash] tags), you indeed may be subject to hackers embedding malicious SWF's. But, then again, if you enable images you are also enabling them to do the same, except for the fact that the number of image-exploits is far more limited. The simplest exploit is this one if I'm not mistaking : embed a 10000x10000 pure white PNG (filesize is almost nothing) and the browser crashes as it tries to render it....<
portfolio - linkshrinker - oxle - twitter
Posted
Etymon
Advanced Member
Etymon
Posts: 2396
2396
Thanks for the help on that Marcel! Hmmm. So, I should not allow flash type uploads, but, instead, let the member(s) use another service for that? Just for the sake of conversation since others are reading this too ... which mod is which that is safe and possibly unsafe?<
Posted
Podge
Support Moderator
Podge
Posts: 3776
3776
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=60387<
Podge. The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)
My Mods: CAPTCHA Mod | GateKeeper Mod Tutorial: Enable subscriptions on your board
Warning: The post above or below may contain nuts.
Posted
MarcelG
Retired Support Moderator
MarcelG
Posts: 2625
2625
Etymon ; there's a difference between allowing flash-file uploads and allowing flash-embedding in your topics ; with the first one one can only post a link to a .swf file, with the second one, one can embed the object, making it load (and run) automatically when a visitor views a topic. That last one has the biggest security concern, as it loads without the visitor having to acknowledgee it prior on loading.<
portfolio - linkshrinker - oxle - twitter
Posted
HuwR
Forum Admin
HuwR
Posts: 20611
20611
it is not just image exploits, flash files can embed javascript which then runs on the client, it is that which poses the biggest security risk<
Posted
Etymon
Advanced Member
Etymon
Posts: 2396
2396
Oh boy. Hmmm.
So, if I allow members to upload images "but" I have some type of resizing going on during the upload process, then will that work around a lot of the image sizing exploits?<
 
You Must enter a message