Mailing List
Home
Flash Pro
Extending Flash
Flash Macromedia Developer
Subjects
Firework Effect
setInterval bug identified and fixed
setInterval bug identified and fixed
ScrollPane component doesn 't auto update
Help: MX 2004 How to script a print button to print the entire sli
Event Dispatcher between classes
memory management removeMovieClip /
MX2004 Dataset itemClassName
Order of events per frame
XML to Object help
Textfield prototype question
Flash and QuickTime VR
Reading and displaying RSS feeds in Flash MX
Flash MX 2004 Sucks
AW: [Flashcoders] Switch/Case vs If/else
AW: [Flashcoders] Switch/Case vs If/else
Flash Interface with 10mb xml file
Web Service Results
Listener Object 's best practice
 
Search:  
Power your search with and, or, +, -, or "some phrase" operators.
RE: [Flashcoders] XML socket policy files on ports < 1024 (SECURITY
ISSUE?)

RE: [Flashcoders] XML socket policy files on ports < 1024 (SECURITY
ISSUE?)

2004-02-17       - By Paul Lemon

 Back
Reply:     1     2     3  

Jayson,

I have checked this again and the procedure appears to be.

1. Try to connect to any port > 1024

2. Regardless of the success or failure of this. Trying making a connection to port 60, this will be permitted. this also works in my initial tests for port 80 and presumably any other port on which there is a process listening for socket connections.


I 'm not too worried about the security issue per se more worried about getting my flash movie to connect a port number <1024. From the documemtation it should request the policy file from the xml server when an attempt is made to connect to the port. As far as I can see this isn 't happening and will require a specific loadPolicyFile request to be made. Is this your experience?

I think macromedia should have a look at this because it does look as if their security software is buggy. There is the potential for someone to write a flash movie which can start connecting to ports <1024 in an attempt to use the applications that listen down on those ports for other reasons than making multiplayer flash movies.

Paul

> -- --Original Message-- --
> From: Jayson K Hanes [mailto:jayson@(protected)]
> Sent: 17 February 2004 17:09
> To: flashcoders@(protected)
> Subject: RE: [Flashcoders] XML socket policy files on ports < 1024
> (SECURITY ISSUE?)
>
>
> Paul,
>
> On first look it seems, yes, you are correct; however -- clients
> wouldn 't normally have this ability to connect, disconnect, change
> ports, and then reconnect...
>
> So, although it proves a functional mechanism to "perhaps "
> circumvent a
> security process -- how could it be exploited?
>
> If you automated the process by code -- great -- you are in on a low
> port number without having a policy file... but.. I 'm not digesting a
> possible "exploit "... can you really think of any?
>
>
> -Jayson
>
> Ps. Yeah.. the chattyfig footer and your (previously) unknown email
> address got your off-list email into spamspace :).. (thanks
> for trying!)
>
> > -- --Original Message-- --
> > From: Paul Lemon [mailto:paull@(protected)]
> > Sent: Tuesday, February 17, 2004 11:52 AM
> > To: flashcoders@(protected)
> > Subject: RE: [Flashcoders] XML socket policy files on ports < 1024
> > (SECURITY ISSUE?)
> >
> >
> > Hi jayson/list,
> >
> > I sent this to your private address jayson@(protected) but got a
> bounceback.
> > I thought I send it to the list for yourself and anyone
> else who might
> be
> > interested.
> >
> > I think I have proved that a connection can be made to a
> socket <1024
> > without any policy file being downloaded from an xml server.
> >
> > I have uploaded a simple test movie to
> > http://www.pilotinteractive.co.uk/paulstest/sockettest.html
> it should
> be
> > self explanatory. The source is at
> > http://www.pilotinteractive.co.uk/paulstest/sockettest.fla
>
>
> =-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---
> -- ------
> Supported by Fig Leaf Software
> =-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---
> -- ------
> Be sure to check the archives and the wiki:
> http://chattyfig.figleaf.com/
> =-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---
> -- ------
> http://chattyfig.figleaf.com/cgi-bin/ezmlm-cgi?1:mss:104494
> =-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---
> -- ------
> To unsubscribe send a blank e-mail to:
> Normal Mode: flashcoders-unsubscribe@(protected)
> Digest Mode: flashcoders-digest-unsubscrive@(protected)
>
>


**********************************************************************
Copyright in this message and its attachments remains with us. This email represents the views of the author, which may not be the views of the Company.

The information contained in this message is confidential and is intended for the addressee only. If you are not the intended recipient of this message please notify the sender and delete this message from your system immediately. The unauthorised use, disclosure, copying, distribution or alteration of this message is strictly forbidden.

Please note that we reserve the right to monitor and read internal and external e-mails.

Although we have checked this e-mail for viruses, it is not guaranteed to be virus free and it is your responsibility to scan the message and attachments prior to opening them. We do not accept any responsibility for the consequences of passing on any virus.

**********************************************************************


=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
Supported by Fig Leaf Software
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
Be sure to check the archives and the wiki:
http://chattyfig.figleaf.com/
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
http://chattyfig.figleaf.com/cgi-bin/ezmlm-cgi?1:mss:104504
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
To unsubscribe send a blank e-mail to:
Normal Mode: flashcoders-unsubscribe@(protected)
Digest Mode: flashcoders-digest-unsubscrive@(protected)