MPSB02-08 - Macromedia Flash Player Cross Server Scripting Security Issue
Originally posted: June 13, 2002
Last updated: June 13, 2002
Summary
Macromedia has recently become aware of a security loophole that exists when Macromedia Flash (SWF) content coming from one domain is included in an HTML page located on a different domain, creating the ability to read and transfer data, such as cookies, from the HTML server domain to the Macromedia Flash domain. Web sites that host Macromedia Flash content directly from their own Web site domain are not affected by this issue.
Issues
An important security restriction in client-side scripting is that script code is not allowed to inspect, modify, or otherwise interact with any documents that come from a Web domain other than the one from which the script itself came.
When Flash movies are hosted within HTML pages they can define and call their own script code using the ActionScript getURL() function. When this occurs, cross-domain security is not enforced between Flash movies and the HTML pages in which they are hosted. This means that it is possible to author Flash movies that interact with their surrounding HTML pages even though the movie and its host page may reside in separate domains. This issue occurs with the ActiveX version of Macromedia Flash Player for Internet Explorer and the Netscape plugin for Netscape Navigator.
This issue can only affect websites containing HTML pages that directly source Flash movies that are served from other domains and could be written by individuals not directly trusted by the operator of the Website. Examples of this kind of arrangement could include sites that aggregate third party Macromedia Flash content and Flash-based "signatures" in message board posts.
Solution
A simple solution is to create a cross-domain HTML-to-HTML boundary between the
main pages of a Website and any untrusted Macromedia Flash movies that that site
wishes to display. Website operators can do this by creating a "wrapper" HTML
page around the Flash movies in question. The wrapper page must be separate from
the main hosting page; it might be in a separate browser window, a separate browser
frame, or an IFRAME. The wrapper page must be in a different domain than the
main hosting page. For example, if the main page is served from www.macromedia.com,
the wrapper page could be served from external.macromedia.com, and this would
prevent any Macromedia Flash movies inside the wrapper page from accessing data
associated with www.macromedia.com. This technique depends on Web browsers to
enforce cross-domain scripting security, and it is important to be aware that
different browsers vary in their implementations of cross-domain security.
What Macromedia Is Doing
Macromedia will release an updated Macromedia Flash Player in the July timeframe that will introduce an easy way to control content with the following option:
Web pages that source Flash movies can pass a new parameter to the Macromedia Flash Player from the HTML code (PARAM tag for Internet Explorer, EMBED tag for Netscape Navigator).
This parameter is called "AllowScriptAccess". It can have two possible values: "always" and "never".
- When AllowScriptAccess is "never", outbound scripting (ActionScript getURL() actions that specify a scripting statement) will always fail.
- When AllowScriptAccess is "always", outbound scripting will always succeed.
- If AllowScriptAccess is not specified by an HTML page, it defaults to "always".
Macromedia is committed to the security of the Macromedia Flash Player, and invests considerable ongoing effort to ensure that the security and privacy of all Macromedia Flash Player users and all websites serving Macromedia Flash content are protected.
What Customers Should Do
Customers should follow the recommendations found in this bulletin and download the newer Flash Player when it is available.
Revisions
June 13, 2002 - Bulletin first released.
December
1, 2004 - Example solution updated.
Reporting Security Issues
Macromedia is committed to addressing security issues and providing
customers with the information on how they can protect themselves.
If you identify what you believe may be a security issue with a Macromedia
product, please send an email to secure@macromedia.com.
We will work to appropriately address and communicate the issue.
Receiving Security Bulletins
When Macromedia becomes aware of a security issue that we believe
significantly affects our products or customers, we will notify customers
when appropriate. Typically this notification will be in the form
of a security bulletin explaining the issue and the response. Macromedia
customers who would like to receive notification of new security bulletins
when they are released can sign up for our security notification service.
For additional information on security issues at Macromedia, please
visit: http://www.macromedia.com/security.
ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR
FIXES PROVIDED BY MACROMEDIA IN THIS BULLETIN ARE PROVIDED "AS IS" WITHOUT
WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES,
WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT,
TITLE OR QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION
OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.
IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS,
BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED
ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF
WARRANTY, TORT(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE,
EVEN IF MACROMEDIA, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME
STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT
APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM
STATE TO STATE.
Macromedia reserves the right, from time to time, to update the information
in this document with current information.
|
