Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Currently I’m allowed users to add application/x-shockwave-flash objects to their profiles in my website. I’ve only filtered the URL and the content-type is set to “application/x-shockwave-flash”
Is there any vulnerabilities in allowing my users to link to remote flash/video files?
It should be safe in principle, assuming that the users only specify a file (they don’t write the embed code), and that they cannot upload files to your server.
You might care to make use of the
allowNetworkingandallowScriptAccessparameters in the embed tag where you embed the SWF, to limit what these embedded SWFs are allowed to do. See here for details.Also, I’m assuming you don’t have a wide-open crossdomain.xml file on your server. If you all open crossdomain access, then I think it’s possible that hotlinking to unknown SWFs could be unsafe. (If you don’t have any crossdomain.xml policy file, you’re fine – the default is for no access to be granted if no policy exists.)