November 15, 2009 at 12:55 You know less - sleep better, or stop pulling information out of context
Surely it’s not just me who is surprised by the headings like “ Fundamental bug Adobe Flash will not fix it ”. It is somehow yellowness per kilometer, and it is clear that the author has absolutely no idea what exactly he writes. The main thing is that there is “Adobe Flash” and negative subtext, a combination of which, like Pavlov’s dogs, saliva begins to stand out in a particularly active part of the Habra Community.
And I'm sure that most of the fellow commentators don’t know that
But no, anyway ... AAAA THE NEW BAG FLASH WILL NOT BE CORRECTED AS SO PANICAAAAA !!! 11
I look with emotion at people like you gentlemen. For your knowledge is insignificant, and you are in happy ignorance. A person in his life at some point understands the meaning of the proverb “You know less, sleep better.” This “fundamental flash bug” is not even the tip of the iceberg, you may not even know about the underwater part, but you want to shout.
If you spend and dig up Internet / special literature for half a day, you will understand that the danger is actually at every step, most just don’t know about it, taking iron and software for a stone wall without holes and cracks. This vulnerability is just part of a huge family of cross-site scripting vulnerabilities., which have already closed a million and the same number remains, just no one really spreads about this. XSS is subject to almost everything that runs on the client. First of all, JavaScript, through which other client technologies crawl through holes: flash, Java, and cervelat.
Do you know about a 101m way to trick checking downloaded files on a server? For example, what can you combine GIF + JAR (aka zip), PDF + JAR and this file will be a valid pdf and a valid jar at the same time? Do you know that drafts through huge security holes are still walking in your browsers? Not to mention a bunch of sites that are made by beginners and are also full of holes on all sides, and you trust them with your personal information and credit card numbers. Do you know that there are many ways to trick even Google and pull your passwords even from the corporation ofevil good? Do you know that saved passwords in firefox are simply pulled out?
Did you know that this is still not the beginning of that huge list of vulnerabilities that we live with? Why are you still alive then? Yes, because nobody needs you. Not yet needed.
And why? I think it’s possible to unearth the root of all problems somewhere at the source of the network as such, because the main protocols that appeared in my fear of lying a bearded year are completely unprotected. What for? But whoever said that he would do online banking, he would be laughed at once. And then, as needed, they began to sculpt and come up with all sorts of policies.
PS As for the flash part of the vulnerability, I did the same theft of cookies in a bearded 2000 some year on a forum where it was possible to upload flash. There is nothing new here.
PPS Asked to explain how the vulnerability works.In short, XSS vulnerabilities are based on the execution of someone else's malicious client code in the protected zone of the attacked domain. The security system believes that since something is being executed from the example.com domain, it is native to it and can safely have access to the entire information from this domain. It remains only to palm off somehow the malicious code. Read about XSS on the Internet.
What we have in the article and how it relates to flash. It applies the same way as to everything else, it’s just drawn to the ears just for the flash. So, I upload the SWF to a site that allows this. If it doesn’t allow, then pretending to be something else I fill in the same SWF (I won’t write exactly how to pretend, because I am afraid to lie very much and I need to experiment). Accordingly, if this SWF goes to the example.com domain in the uploads folder, then it is considered native to this domain, because someone once suggested that if the content is publicly available from the example.com domain, then only the site admin could put it there (haha). We get that my malicious SWF has access through javascript to the entire environment. If it also shows up somewhere on example.com without allowscriptaccess = never and allownetworking = never, then immediately gg. But the author of the aforementioned article shows that SWF is located on example.com and is somehow native to it, but is called at the left URL. That is, Vasya sends you a link like come here, you poke and see this SWF, which has access to your cookies on example.com. Is the thought clear? Replace example.com with whatever you like and panic. But all you have to do is load junk into the barahlo.example.com domain and this will not work.
And I'm sure that most of the fellow commentators don’t know that
- This is not a bug.
- This is not a flash vulnerability
- This is an extremely bearded vulnerability.
But no, anyway ... AAAA THE NEW BAG FLASH WILL NOT BE CORRECTED AS SO PANICAAAAA !!! 11
I look with emotion at people like you gentlemen. For your knowledge is insignificant, and you are in happy ignorance. A person in his life at some point understands the meaning of the proverb “You know less, sleep better.” This “fundamental flash bug” is not even the tip of the iceberg, you may not even know about the underwater part, but you want to shout.
If you spend and dig up Internet / special literature for half a day, you will understand that the danger is actually at every step, most just don’t know about it, taking iron and software for a stone wall without holes and cracks. This vulnerability is just part of a huge family of cross-site scripting vulnerabilities., which have already closed a million and the same number remains, just no one really spreads about this. XSS is subject to almost everything that runs on the client. First of all, JavaScript, through which other client technologies crawl through holes: flash, Java, and cervelat.
Do you know about a 101m way to trick checking downloaded files on a server? For example, what can you combine GIF + JAR (aka zip), PDF + JAR and this file will be a valid pdf and a valid jar at the same time? Do you know that drafts through huge security holes are still walking in your browsers? Not to mention a bunch of sites that are made by beginners and are also full of holes on all sides, and you trust them with your personal information and credit card numbers. Do you know that there are many ways to trick even Google and pull your passwords even from the corporation of
Did you know that this is still not the beginning of that huge list of vulnerabilities that we live with? Why are you still alive then? Yes, because nobody needs you. Not yet needed.
And why? I think it’s possible to unearth the root of all problems somewhere at the source of the network as such, because the main protocols that appeared in my fear of lying a bearded year are completely unprotected. What for? But whoever said that he would do online banking, he would be laughed at once. And then, as needed, they began to sculpt and come up with all sorts of policies.
PS As for the flash part of the vulnerability, I did the same theft of cookies in a bearded 2000 some year on a forum where it was possible to upload flash. There is nothing new here.
PPS Asked to explain how the vulnerability works.In short, XSS vulnerabilities are based on the execution of someone else's malicious client code in the protected zone of the attacked domain. The security system believes that since something is being executed from the example.com domain, it is native to it and can safely have access to the entire information from this domain. It remains only to palm off somehow the malicious code. Read about XSS on the Internet.
What we have in the article and how it relates to flash. It applies the same way as to everything else, it’s just drawn to the ears just for the flash. So, I upload the SWF to a site that allows this. If it doesn’t allow, then pretending to be something else I fill in the same SWF (I won’t write exactly how to pretend, because I am afraid to lie very much and I need to experiment). Accordingly, if this SWF goes to the example.com domain in the uploads folder, then it is considered native to this domain, because someone once suggested that if the content is publicly available from the example.com domain, then only the site admin could put it there (haha). We get that my malicious SWF has access through javascript to the entire environment. If it also shows up somewhere on example.com without allowscriptaccess = never and allownetworking = never, then immediately gg. But the author of the aforementioned article shows that SWF is located on example.com and is somehow native to it, but is called at the left URL. That is, Vasya sends you a link like come here, you poke and see this SWF, which has access to your cookies on example.com. Is the thought clear? Replace example.com with whatever you like and panic. But all you have to do is load junk into the barahlo.example.com domain and this will not work.