.comment-link {margin-left:.6em;}
Xavier's Security Post
Monday, December 19, 2005
  Cross Data Domain crossdomain.xml misconfigurations
While doing research on the previous post, I was faced with a security-sandbox feature implemented by Macromedia Flash. It's called Cross Domain data sharing, and it allows the host serving the .swf flash files the opportunity to define which domains can be accessible to/from the flash files themselves. Using the file "crossdomain.xml", you can secure data sharing (variables, and the likes) down to your own *.domain. I've noticed many sites have utilized this technique, and have configured the crossdomain.xml file correctly.

However, in the case of MySpace we saw what kind of dangers could arise from allowing * domains to share data between each other. Using XML HTTP sends, mixed with crossdomain.xml, XSS attacks can be successful on sites that allow users to embed Flash objects into their dynamic pages.

I've bumped into a few other popular sites that have misconfigurations in their crossdomain.xml files, and the list below showcases them (including MySpace):

http://www.myspace.com/crossdomain.xtml
http://xml.amazon.com/crossdomain.xml
http://api.search.yahoo.co.jp/crossdomain.xml
http://www.flickr.com/crossdomain.xml
http://content.gamebookers.com/crossdomain.xml
http://flash.oprah.com/crossdomain.xml
http://advision.webevents.yahoo.com/crossdomain.xml (every allowed domain except for the first is good)
http://www.jabber.org/crossdomain.xml (target servers running on those defined ports)
The example below shows off sites that actually have configured their crossdomain.xml files correctly:

http://dyn.ifilm.com/crossdomain.xml
http://www.neopets.com/crossdomain.xml
http://www.autodesk.com/crossdomain.xml
http://www.washingtonpost.com/crossdomain.xml
http://psc.disney.go.com/crossdomain.xml
http://www.carthage.edu/crossdomain.xml
 
Comments: Post a Comment

Links to this post:

Create a Link



<< Home
This public blog will be a place for me to output any Security findings, both technological and physical, that I have come about. I will post Security advisories I was apart of, and also other interesting bits of knowledge. email: xavier [at] tigerteam.se

RECENT RELEASES
Rocks Clusters <=4.1 mount-loop local root
Rocks Clusters <=4.1 umount-loop local root
TSEAD-200606-6 - Rocks Clusters <=4.1 local root
xorgmodroot.py - Xorg-server 1.0 / <=X11R6.9.0-7.0 local root
TSEAD-200509-5 - Multiple Netscape.com vulnerabilities.
TSEAD-200512-3 - Multiple vulnerabilities in KISBG <=v5.1.1
fsigk_exp.py - FSIGK for Linux <=2.10-431 local root
TSEAD-200510-4 - FSIGK for Linux <=2.10-431 advisory
ritk.php - remote inclusion pentest tool
owm_exp.py - openwebmail <=2.51+ local root
perliodebug_exp.py - perlIO_debug 5.8.* local root
bankfix.py - bank card number lookup tool
TSEAD-200412-2 - AOL XSS/file read vuln
TSEAD-200412-1 - AOL redir vuln

ARCHIVES
September 2005 / October 2005 / November 2005 / December 2005 / March 2006 / April 2006 / May 2006 / June 2006 / July 2006 / September 2006 / October 2006 /