漏洞问题 - Security.allowDomain(*) - Flow 播放器
我们在网站上使用 Flow 播放器控件来观看视频。我们可以正常观看视频了。 但当我们运行网站安全漏洞测试时,检测到了可能的威胁。
线程 -- Security.allowDomain("*") 在 Flash 影片中使用 http://abc.com/JScripts/flowplayer-3.1.5.swf
Flow Player 版本是 3.1.5
谁能告诉我需要采取什么措施来处理这种安全威胁? 下面是代码
<script type="text/javascript" language="JavaScript">
flowplayer("player", "../JScripts/flowplayer-3.1.5.swf", {
clip: {url: '<%= getVideoUrl() %>', autoPlay: false,autoBuffering: true},
plugins:
{
controls:
{
url: '../JScripts/flowplayer.controls-3.1.5.swf',
all: false, play: true, stop: true, scrubber: true,volume: true,
mute: true, time: true, tooltips: {buttons: true, fullscreen: 'Enter fullscreen mode'}
}
}
});
</script>
We are using a Flow player control on website to view video's. We are able to view the video properly.
But when we ran a Website Security Vulnerability Test , a possible threat was detected.
Thread -- Security.allowDomain("*") is used in a Flash movie
http://abc.com/JScripts/flowplayer-3.1.5.swf
The flow player version is 3.1.5
Can anyone tell what needs to be done to handle this security threat?
Below is the code
<script type="text/javascript" language="JavaScript">
flowplayer("player", "../JScripts/flowplayer-3.1.5.swf", {
clip: {url: '<%= getVideoUrl() %>', autoPlay: false,autoBuffering: true},
plugins:
{
controls:
{
url: '../JScripts/flowplayer.controls-3.1.5.swf',
all: false, play: true, stop: true, scrubber: true,volume: true,
mute: true, time: true, tooltips: {buttons: true, fullscreen: 'Enter fullscreen mode'}
}
}
});
</script>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这只是说您允许所有域运行您的脚本并正确使用它们,比如有人想要从另一个站点运行您的 swf 脚本。 “*”部分表示每个域都可以这样做。漏洞评估表明这是一个问题,因为所有域都可以访问 swf 文件中的变量和对象,但是通过自动漏洞评估,您通常会收到很多误报。如果您仍然担心,请查看文档 http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/system/Security.html
That is just saying that you are allowing all domains to run your script and to use them properly, say someone wants to run your swf script from another site. "*" part means every domain is allowed to do that. the vulnerability assessment says this is an issue because all domains have access to your variables and objects in your swf file, however with automatic vulnerability assessments you typically get a lot of false positives. If you are still concerned take a look at the docs at http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/system/Security.html
这是一个很大的问题。在许多情况下,这意味着攻击者可以:
假设您有 http://www.abc.com/mail ,可以使用 cookie 或HTTP 验证。攻击者也许能够加载所有数据并将其发送到他的服务器。
受信任或受控制,攻击者无法将 SWF 上传到
在不使用环境的其他服务器上托管易受攻击的 SWF
证书
This is a huge issue. In many cases it means that attacker can:
Imagine you have http://www.abc.com/mail that is accessible using cookie or HTTP Auth. Attacker may be able to load all that data and send it to his server.
trusted or controlled that attacker can't upload SWF to
host vulnerable SWF on other server that doesn't use ambient
credentials