Security issue in regard to flash .swf files

Question

I allow people to upload .swf file (games) to my server. I review them, and post the good ones on the site. Can somehow, theoretically, put a pure flash uploader script into the game, and upload malicious files to the server? All the flash upload scripts usually require a php/asp/whatever script to catch the upload and take it from there. Can this be done with prue flash in theory, and if so.... how do you prevent it?

Answer 1

Short answer: no - but you should be concerned with XSS.

Technically, however, you are vulernable at the time when you test the swf file. While Adobe generally try to protect its users by putting .swf files in a sandbox, you can write a swf file that has local file access (but no network permissions).

When your server is serving the swf file, the swf file is executing on the client's computer - not yours. The ONLY difference in your situation is that the swf file is technically running on the same domain as the server itself - thus wvxw is right in that it can access services that you have exposed on that domain. In the normal case, Adobe prevents swf files from access resources across different domains (unless you have a crossdomain file place on the server root. However, this protection is mostly to protect the user of the swf file and NOT the server. A malicious attacker can easily intercept the request for the crossdomain.xml file and feed it a custom one. This effectively allows swf files to make requests to any domain.

As it was mentioned, flash (or any other language really) can take advantage of any preexisting vulnerabilities on your filesystem.

You should be more concerned with XSS. The flash application can technically make requests to a different domain to collect information about your users. Just to make a point, a really crafty flash application could technically pull its own swf file from another domain (that the creator has approved through crossdomain file) at some point after your approval. This swf file can then have a completely different behavior than what you approved.

This a general problem whenever you give your users the power to post things. XSS attacks are usually thwarted by parsing for malicious code on the server side. In your case, it is essentially impossible to do that since swf files are in binary.

Answer 2

In the order of diminishing likeliness (more likely -> less likely):

Any SWF served from your server can call scripts available to the server. If those scripts upload anything, then SWF can use them.

If your server serves a crossdomain suitable for sockets, then SWF can implement Telnet, FTP, SSH, and lots of other protocols based on TCP. If your server accepts automatic uploads using those protocols, SWF could use them.

SWF file may have a name that if, for example, searched with Unix find may be understood as a call to another command (Unix file names allow line breaks, for example, so a program reading from output stream of another program using shell may accidentally provoke argument expansion / execution of random code, if you aren't careful enough).

Any general vulnerability can be exploited, like, for example, if the evildoer knows about a way to feed SWF file to a program reading it and coerce the program somehow into giving away some confidential information; of course, then anything is possible. SWF, however, has no advantage in this regard, any file can be equally "useful", if the opportunity presents itself.