XML socket policy files on ports < 1024 (SECURITY ISSUE?)

Mailing List

Home

Flash Pro

Extending Flash

Flash Macromedia Developer

Subjects

•	Firework Effect
•	setInterval bug identified and fixed
•	setInterval bug identified and fixed
•	ScrollPane component doesn 't auto update
•	Help: MX 2004 How to script a print button to print the entire sli
•	Event Dispatcher between classes
•	memory management removeMovieClip /
•	MX2004 Dataset itemClassName
•	Order of events per frame
•	XML to Object help
•	Textfield prototype question
•	Flash and QuickTime VR
•	Reading and displaying RSS feeds in Flash MX
•	Flash MX 2004 Sucks
•	AW: [Flashcoders] Switch/Case vs If/else
•	AW: [Flashcoders] Switch/Case vs If/else
•	Flash Interface with 10mb xml file
•	Web Service Results
•	Listener Object 's best practice

XML socket policy files on ports < 1024 (SECURITY ISSUE?)

XML socket policy files on ports < 1024 (SECURITY ISSUE?)

2004-02-17 - By Jayson K Hanes

Back

Reply: 1 2 3

Paul,

On first look it seems, yes, you are correct; however -- clients
wouldn 't normally have this ability to connect, disconnect, change
ports, and then reconnect...

So, although it proves a functional mechanism to "perhaps " circumvent a
security process -- how could it be exploited?

If you automated the process by code -- great -- you are in on a low
port number without having a policy file... but.. I 'm not digesting a
possible "exploit "... can you really think of any?

-Jayson

Ps. Yeah.. the chattyfig footer and your (previously) unknown email
address got your off-list email into spamspace :).. (thanks for trying!)

> -- --Original Message-- --
> From: Paul Lemon [mailto:paull@(protected)]
> Sent: Tuesday, February 17, 2004 11:52 AM
> To: flashcoders@(protected)
> Subject: RE: [Flashcoders] XML socket policy files on ports < 1024
> (SECURITY ISSUE?)
>
>
> Hi jayson/list,
>
> I sent this to your private address jayson@(protected) but got a
bounceback.
> I thought I send it to the list for yourself and anyone else who might
be
> interested.
>
> I think I have proved that a connection can be made to a socket <1024
> without any policy file being downloaded from an xml server.
>
> I have uploaded a simple test movie to
> http://www.pilotinteractive.co.uk/paulstest/sockettest.html it should
be
> self explanatory. The source is at
> http://www.pilotinteractive.co.uk/paulstest/sockettest.fla

=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
Supported by Fig Leaf Software
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
Be sure to check the archives and the wiki:
http://chattyfig.figleaf.com/
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
http://chattyfig.figleaf.com/cgi-bin/ezmlm-cgi?1:mss:104494
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
To unsubscribe send a blank e-mail to:
Normal Mode: flashcoders-unsubscribe@(protected)
Digest Mode: flashcoders-digest-unsubscrive@(protected)