 | | RE: [Flashcoders] XML socket policy files on ports < 1024 (SECURITY
ISSUE?) | RE: [Flashcoders] XML socket policy files on ports < 1024 (SECURITY
ISSUE?)
2004-02-17 - By Paul Lemon
Back
Hi jayson/list,
I sent this to your private address jayson@(protected) but got a bounceback. I thought I send it to the list for yourself and anyone else who might be interested.
I think I have proved that a connection can be made to a socket <1024 without any policy file being downloaded from an xml server.
I have uploaded a simple test movie to http://www.pilotinteractive.co.uk/paulstest/sockettest.html it should be self explanatory. The source is at http://www.pilotinteractive.co.uk/paulstest/sockettest.fla
Onto the test:-
start by connecting to port 60 on leeds04.pilotinteractive.co.uk
On my machine I get no response. I cannot see any request being made for a policy file
Then abort that connection by hitting the "disconnect " button.
Change the port to 5631 and hit connect again.
I get the following in the output window
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
Connecting to leeds04.pilotinteractive.co.uk on port 5631
Connected
Data arrived
#msgsession 0 0 8 9 encoding#o#y0#x#z
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
The last line is a message form the oregano server that is running. It is the unmodified version which cannot serve up a policy file.
I am runnning a packet sniffer and it shows that the flash player also downloads the default policy file ( http://leeds04.pilotinteractive.co.uk/crossdomain.xml ) off the web server before the connection to 5631 is made. This policy file does not permit connections to port 60.
Now disconnect that and try port 60 again.
This time it connects for me.
See how it works for you.
thanks
Paul
**********************************************************************
Copyright in this message and its attachments remains with us. This email represents the views of the author, which may not be the views of the Company.
The information contained in this message is confidential and is intended for the addressee only. If you are not the intended recipient of this message please notify the sender and delete this message from your system immediately. The unauthorised use, disclosure, copying, distribution or alteration of this message is strictly forbidden.
Please note that we reserve the right to monitor and read internal and external e-mails.
Although we have checked this e-mail for viruses, it is not guaranteed to be virus free and it is your responsibility to scan the message and attachments prior to opening them. We do not accept any responsibility for the consequences of passing on any virus.
**********************************************************************
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
Supported by Fig Leaf Software
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
Be sure to check the archives and the wiki:
http://chattyfig.figleaf.com/
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
http://chattyfig.figleaf.com/cgi-bin/ezmlm-cgi?1:mss:104489
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
To unsubscribe send a blank e-mail to:
Normal Mode: flashcoders-unsubscribe@(protected)
Digest Mode: flashcoders-digest-unsubscrive@(protected)
|
|
|