Some column security issues raised by the Crossdomain.xml security policy file

This is a thought caused by crossdomain.xml security policy file, not steamed bread, not a bloody massacre!! The first knowledge is a few years ago when the first contact with Flex, that will mengmengdongdong solve the problem, and now deal with countless, this big problem can be easily dealt with small problems, it is such a pleasant sunny afternoon, I happily write code, schedule, organize documents, planning to go home for dinner today, Received an e-mail message about a flash cross-domain security vulnerability on a server that is being quickly forgotten and requires an emergency fix.

Rub, what? This is not funny, what is this? What's this stuff? Confused, security holes? So decisive to find the server policy file, sure enough, no deployment, yes no security policy files deployed, ouch I go ah, this is not my work, I came to have it, bar bar ... Say other useless ah, now have to solve the problem ah, then make a crossdomain.xml file placed under the server Bai, not, PA PA, a few keyboard, 2 minutes to fix, so simple small problem, ha ha haha haha ... In the elder brother thought can return e-mail, see the Dark cloud cross-domain loophole words, open look is what thing, this see does not matter, can frighten me, do not understand Ah, more, all kinds of messy code snippet, explain, the most is also impatient, know this is finished, the afternoon time estimated to spend in this damn loophole.

======================= officially started =======================

1. What kind of loophole is this?

Through the analysis of the principle of cve-2011-2461 and the study of the case, we can easily know that this vulnerability allows hackers to easily load the SWF file on our server, disguised as a sandbox file under our security domain, to steal the user's privacy information. (though there's nothing to steal, steal a stream of live video?) Well, even if there is nothing to be afraid of stealing, or repair good! ）

2. What caused this?

This is also explained in detail in the reason article, which is caused by "import loading" in the security domain authorization, which we have in the Adobe official API documentation (see Import loading loadercontext for more information). Securitydomain) can also be found in its specific description.

3. Is there really such a loophole?

Yes, it does exist in the SDK4.6 version, and the cloud platform is not nonsense. Bloggers carefully analyze the order of the SWF process loading according to the order presented in the article, check each mentioned code snippet, load principle, and finally find the following code snippet in the Modulemanager.as class L463 line.

Is the last mention in the text.

4. How can I fix this vulnerability?

This also does not need us to worry about, the article all has said, moreover this loophole is the historical loophole, the article has given four kinds of solutions, as follows:

For this vulnerability, the fixes and defenses may have the following points:

• Update Development tools

• For SWF files generated using the Old SDK compilation, you can recompile with the new version of the development tool, or use the Repair tool to patch the SWF (https://helpx.adobe.com/flash-builder/kb/ flex-security-issue-apsb11-25.html). Of course, if the document is already very old, it is good to delete the direct violence.

• Putting static resource files, such as SWF, with security risks, to a separate domain name, can minimize such problems.

• Developers should try to avoid using "import loading" when writing related code, and when using the loader class, the loaded URLs should be judged with legitimacy.

Our focus is on the tools that are mentioned, which are actually the way Adobe explains and fixes this vulnerability.

5, the Flex Security Issue apsb11-25 article, mentioned two kinds of solutions, a temporary emergency solution, a once and for all permanent solution, of course, we all know that must be the second kind of reliable.

Official loophole address, tool address, requires computer installation air environment

Workaround: Is to download the official Repair tool, the vulnerability of the SWF file, repair, simple and fast operation, feasible.

Permanent scenario: Update the SDK version used by the developer, According to the introduction of more than 4.6 of the SDK has fixed the problem, but Bo Master is also 4.6 of the SDK, but really have this problem, think of a 4.13 of the SDK exists, so decisively replace the SDK, recompile, publish, with the vulnerability tool detection, the results show no loopholes, view modulemanager.as class The code snippet was found to be different, as follows:

We can also verify the text of the command line mentioned, the command line switch to the FB installation path, and then enter Sdks/bin, execute SWFDUMP-ABC-Path/xxx.swf > path. txt, so that the SWF binary into the TXT text format, the repair and repair of the two SWF files executed above command, and then use the file comparison software beyond Compare (Bo master computer installed early, very useful software, other contrast software can also) the results are as follows:

This comparison results in only two different, the first is the filename, the blogger himself named, unimportant, the second is the above diagram, In other words, the contrast can be found to be real is through the modification of the code in the modulemanager.as can solve the problem, cloud platform and the official website is a feasible solution.

6, Bo mainly said?

Bo Master has been very long-winded, whimsical thought that I myself change the 4.6SDK Modulemanager.as can, not, although I manually changed the code, that is completely cheating me ah, I know the change more, FB do not know, because no compilation did not run, the system needs to pack up the ant.

7. What is the impact after the change?

Select tool Repair, unless the code is not maintained in the future, this unsafe corrective action, in case the unfortunate programmer forgot to repair the tool in the late criticized. That is not to say that the new version of the SDK is desirable, the high version of the SDK needs a high version of the Flash Player plug-in support, may affect the user experience, need to update their own plug-in to use, but said back, most users of the computer's FP is a newer version, currently is 17beta, and SDK4.13 only request fp14.0 above can. Then why not apply SDK4.7 or sdk4.6a Ah, bloggers think that the SDK is also a loophole, do not want to repair the vulnerability every day to waste time ah.

Blog post should add a few more pictures, but after work has not eaten. Think about it, really want to see the care of not a few, and mentioned the two articles are more detailed, I here is only to do the introduction.

Some column security issues raised by the Crossdomain.xml security policy file