How to safely embed any flash file (swf)?

Question

I want to allow my users to embed their own Flash animations in their posts. Usually the actual file is hosted on some free image hosting site. I wouldn't actually load the flash unless the user clicked a button to play (so that nothing auto-plays on page load). I know people can make some really annoying crap in flash, but I can't find any information about potential serious damage a flash app could cause to the viewer.

Is it unsafe to embed just any flash file from the internets? If so, how can I let users embed innocent animations but still keep out the harmful apps?

edit:

From what I can gather, the most obvious threat is for actionscript to redirect you to a malicious site.

Adobe says you can set allowScriptAccess=never and allowNetworking=none and the swf should have no access to anything outside of itself. Will this solve all my problems?

Answer 1

Yes, it's unsafe.

There's no easy way of allowing it. You could have a domain whitelist that allowed YouTube, Hulu, etc. through, but whitelisting is inherently a pain in the ass - you'd be constantly updating.

Answer 2

As an example Drupal has a scenario of how allowing flash content from users could be a security concern.

Answer 3

Flash has some neat security measures in place. Allowing users to upload swf's to your site and embedding them is unsafe, you're basically setting yourself up for an XSS attack.

However, allowing them to hotlink should not be a problem. The swf will be locked to the domain that is hosting it and is not allowed calling url's outside of that space.

It will still be open to "evil links" (i'm sure theres a proper word for them), and by that I mean having regular links to yoursite.com/admin/deleteallpages.php which it tries to load "as" you. It will not however be able to use this data in any way, it'll basically be the same as a normal link, and I'd guess modern cms' are protected from that type of attacks.

You could get the same protection by hosting your flashes on a different subdomain, since flash considers this the same as a completely different domain.

Answer 4

Adobe says you can set allowScriptAccess=never and allowNetworking=none and the swf should have no access to anything outside of itself. Although allowNetworking is only in Flash Player 9, so users with earlier versions of Flash would still be susceptible to some exploits.

Creating more secure SWF web applications : Security Controls Within the HTML Code

How to restrict SWF content from HTML

Answer 5

When embedding SWFs from unknown sources, it is also best practice to throw a mask on the Loader so that the loaded SWF can't take over more screen real estate than expected.

Pseudo-code to do so:

var maskSpr : Sprite = new Sprite();
maskSpr.graphics.beginFill();
maskSpr.graphics.drawRect(0,0,safeWidth,safeHeight);
maskSpr.graphics.endFill();
myLdr.mask = maskSpr;

Answer 6

There is actually more than one option.

To be totally safe, set allowScriptAccess=never and allowNetworking=none and the swf will have no access to anything outside of itself.

NOTE: allowNetworking is only in Flash Player 9 (it was created in response to various myspace worms), so you'll need to use SWF Object to insure that only users with the right flash player version or better have the flash loaded.

If you want to enable things like youtube videos, though, you can't set allowNetworking to "none". Fortunately, there is an intermediate level of security for this field - "internal" which lets the SWF talk to its hosted domain.

Also note that you better not have a crossdomain.xml file on your site - read more about those dangers here and other places.

Here are some other sites that are mentioned by other answers that go into more detail:

http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps_04.html

http://blogs.adobe.com/stateofsecurity/2007/07/how_to_restrict_swf_content_fr_1.html