 | | | XML socket policy files on ports < 1024 (SECURITY ISSUE?) | XML socket policy files on ports < 1024 (SECURITY ISSUE?)
2004-02-17 - By Paul Lemon
Back
Hi,
I have been experimenting with the new flash player version 7,019 and its ability to connect to xml servers on ports <1024.
I have been using Oregano server and have updated it so that it will serve a policy file back to the flash player as detailed in http://www.macromedia.com/support/documentation/en/flashplayer/7/releasenotes.html
(search for Flexible Policy File Locations)
I have teseted this using the command System.security.loadPolicyFile( "xmlsocket://foo.com:414 ");
and the server appears to return the xml correctly (although I cant find any way of telling this in the flash player - I am making assumptions based on the debug output of the server).
The documentation says that if a policy file has not yet been downloaded from a port <1024 when you try to open a socket the flash player will automatically request the policy file before the connection is made. This has not yet happened for me, the flash movie connects succesfully without downloading a policy file from that port (it has downloaded a policy file of a web server on port 80 though).
I have tried this on two machines so far, windows XP and MAC OSX both using Internet explorer and 7,019 which had recently been upgraded from 7,014.
Has anyone else seen this behaviour or if anyone can see anything I am missing I would very much appreciate being corrected.
This could be a major securtity issue if the player can connect to ports < 1024 without any policy file. Alternatively I could just be getting it very wrong.
Thanks for any replies
Paul
**********************************************************************
Copyright in this message and its attachments remains with us. This email represents the views of the author, which may not be the views of the Company.
The information contained in this message is confidential and is intended for the addressee only. If you are not the intended recipient of this message please notify the sender and delete this message from your system immediately. The unauthorised use, disclosure, copying, distribution or alteration of this message is strictly forbidden.
Please note that we reserve the right to monitor and read internal and external e-mails.
Although we have checked this e-mail for viruses, it is not guaranteed to be virus free and it is your responsibility to scan the message and attachments prior to opening them. We do not accept any responsibility for the consequences of passing on any virus.
**********************************************************************
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
Supported by Fig Leaf Software
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
Be sure to check the archives and the wiki:
http://chattyfig.figleaf.com/
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
http://chattyfig.figleaf.com/cgi-bin/ezmlm-cgi?1:mss:104418
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
To unsubscribe send a blank e-mail to:
Normal Mode: flashcoders-unsubscribe@(protected)
Digest Mode: flashcoders-digest-unsubscrive@(protected)
|
|
|