tags:

views:

86

answers:

2
+6  Q: 

Looking for resources to explain a security risk.

I've a developer which has given users the ability to download a zip archive which contains an html document which references a relative javascript file and flash document. The flash document accepts as one of it's parameters a url which is embedded in the html document. I believe that this archive is meant to be used as a means to transfer an advertisement to someone who would use the source to display the ad on their site, however the end user appears to want to view it locally.

When one opens the html document the flash document is presented and when the user clicks on the flash document it redirects to this embedded url. However, if one extracts the archive on the desktop and opens the html document in a browser and clicks the flash object, nothing observable happens, they will not be redirected to the external url.

I believe this is a security risk because one is transferring from the local computer zone to an external zone.

I'm trying to determine the best way to explain this security risk in the simplest of terms to a very end user. They simply believe it's "broken" when it's not broken, they're being protected from a known vulnerability.

The developer attempted to explain how to copy the files to a local iis instance, which I highly doubt is running on the users machine, and I do not consider this to be a viable explanation.

A: 

Would this be useful? It seems to imply that when it blocks local content, the user gets a notification as such, but it sounds like it's just failing silently.

Doug Kavendek  2010-06-18 13:48:18
I believe your assumption is correct, however I'm not familiar enough with flash to know whether this is because the document is composed poorly or if it's for some other reason
Dave  2010-06-18 14:35:40
+3  A: 

I don't think this is an issue. Being able to go in the opposite direction, that is execute script originating from a Remote zone to the local zone is called "Cross Zone Scripting". In fact the most recent 0-day against IE uses cross zone scripting to get remote code execution.

If you look at the restrictions for Adobe Air you can see that its less restrictive that the Same Origin Policy when it comes to accessing remote resources. I can not think of a scenario in which this would be valuable to an attacker. Especially when comparing to other locally run code, such as a executable written in C++.

Rook  2010-06-18 15:43:31
If this isn't an issue; do you have any thoughts on how I can prove it? In testing, it works on a local web server, however it does not work from a local file.
Dave  2010-06-21 15:21:10
@Dave I'm not sure what you mean. I can't think of a scenario in which this would be useful to an attacker.
Rook  2010-06-21 15:23:54
If I understand your original response correctly, you are stating that the behavior I'm observing is not because of a security issue but because of some other issue. Can you suggest how I might dive deeper into the issue to get to the root cause? Sorry, my previous response is poorly phrased.
Dave  2010-06-21 16:43:18
@Dave i don't see how this a problem because no one is normally going to run this flash app locally, so this shouldn't interfere with usability. I also don't see how an attacker can gain anything from tricking someone into opening the flash app locally. Its not working probably because of a "same origin policy" violation. If this where complied as an Air app then i don't think it would throw this violation.
Rook  2010-06-21 16:49:59

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?