-
Looking for information as to how .swf files can be manipulated once uploaded to a web server. If the server is hacked, and if one were so inclined (and had the technical capability), can an .swf file be manipulated (binary code)either on the server, or downloaded and later replaced (back on the server) with malicious code or attachment. Put another way, if the .swf is created with no malicious intent and subsequently uploaded to the web server, is it suseptable to harmful manipulation after the fact either to the client side (downloaders) OR to any other data that resides on the server itself? Are common viruses like Worm and Trojan necessarily attached with the .swf file by the .swf creator, or later by someone up to no good? If you can answer, please expand on reasons or possibilities.
Thank you!
JD
-
Only if someone malicious has write access to the server is this possible (error number one...solve that problem first).
They most likely wouldn't waste too much time on SWF's if they had hacked into the server, but...
SWF files can attack users by exploiting buffer overruns in the flash player (assuming that the latest flash player is not installed, or they have discovered a new exploit). Or, they can also use some known scripting vulnerabilities. You can find more complete info on Macromedia's site about that type of thing.
Your server is pretty safe though (at least from SWF based attacks...security allowing the write in the first place should be addressed if this user was not supposed to have access). SWF files are only executed on the client side, so, like Javascript, they aren't going to ever attack the server (unless someone made up a DNS attacking script or something and embedded it in the SWF and you had thousands of visitors looking at this SWF...but that is still an outside attack).
--Jesse
-
Thank you Jesse, very helpful.
JD
-
.swf security issues
Jesse,
Just so I'm clear on your explanation, my understanding is that an .swf file intended to inflict damage must be ENGINEERED that way to begin with, yes?
Thanks!
JD
-
Hi,
as long as the visitor is viewing a changed swf through the browser and not downloading it to the hard disk and viewing it in the flash app's viewer, most modifications to the movie will not affect the viewer
Musicman
-
Thanks musicman for the input...what about an action created(in the preloader for example) to automatically download the .swf - viewer has no idea he's downloading it?
-
I dont know whether there is any way to download anything from the movie playing - macromedia says the movie is safe from attacks
Musicman
-
Actually...Macromedia has released quite a few warnings about security flaws recently (buffer overflow, scripting, etc). You can find them all on their site.
Earlier versions of the Flash player should also be vulnerable to the ZLIB buffer overflow vulnerability, as they do use ZLIB compression.
--Jesse
-
use this
free swf protect tools - http://www.e-beroun.cz/swfenc.asp
- obfuscating
- server side decoding /IIS only/
- domain name restrict /don't move to another server/
- save as protect
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|