loadMovie(_root.baseUrl + "/movie.swf");
This security issue is not purely limited to loadMovie() alone. In Flash Player 9.0 r47,
almost all functions loading URLs are vulnerable to asfunction based variables,
including these:
??? loadVariables()
??? loadMovie()
??? getURL()
??? loadMovie()
??? loadMovieNum()
??? FScrollPane.loadScrollContent()
??? LoadVars.load()
??? LoadVars.send()
234 Hacking Exposed Web 2.0
??? LoadVars.sendAndLoad()
??? MovieClip.getURL()
??? MovieClip.loadMovie()
??? NetConnection.connect()
??? NetServices.createGatewayConnection()
??? NetSteam.play()
??? Sound.loadSound()
??? XML.load()
??? XML.send()
??? XML.sendAndLoad()
You should also be concerned about variables accepting URLs that are user-definable,
such as TextFormat.url.
This attack is extremely common in Flash applications, including Flash movies automatically
generated from slide shows, videos, and other content. Some of these functions
must allow the asfunction protocol handler. Thus, we expect this issue to persist for
some time.
XSF via loadMovie and Other SWF, Image,
and Sound Loading Functions
Popularity: 2
Simplicity: 7
Impact: 8
Risk Rating: 8
An attacker could also load his or her own SWF through userinput3, such as the
HackWorld application noted at the beginning of the chapter.
Pages:
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408