[Laszlo-dev] serverless operation (security note)
clyman at apprenticeis.com
Thu Jan 20 10:26:16 PST 2005
If I understand Sarah's argument, it would work something like this:
I write a flash widget that sweeps the IP of the subnet that the movie
plays on for (say) open port 80s.
I send the movie as an embedded object in an email that is then played
on the recipient computers behind the corporate firewall.
The movie runs and then finds the corporate intranet page. The movie
slurps the site and sends it home via port 80 calls (that won't be
stoped by the firewall).
It's assumed that the bad guys won't have access to the root of the
From: laszlo-dev-bounces at openlaszlo.org
[mailto:laszlo-dev-bounces at openlaszlo.org] On Behalf Of Eric Bloch
Sent: Thursday, January 20, 2005 12:12 PM
To: OpenLaszlo platform development and bug reporting
Subject: Re: [Laszlo-dev] serverless operation (security note)
Sarah Allen wrote:
> The danger is to that site. The firewall prevents external access,
> not access from my desk. If the Flash Player were to allow a
> to make any connection, someone could write an application that
> to be a fun greeting card, but was really accessing
> private.mycompany.com. Then the evil hacker would just send those
> greeting cards to a bunch of employees and get at the private data of
> the company.
I don't understand this.
If you wrote the greeting card to go to private.mycompany.com, then evil
guys would just put a crossdomain.xml file there on
private.mycompany.com and do his evil stuff, right?
Laszlo-dev mailing list
Laszlo-dev at openlaszlo.org
More information about the Laszlo-dev