530351 - Mitigate Flash vulnerability by enforcing MIME type for cross-site <object type=application/x-shockwave-flash> loads

Status: RESOLVED WONTFIX

(Core Graveyard :: Plug-ins, defect)

Description

[Jesse Ruderman]

http://news.slashdot.org/story/09/11/12/2337236/Flash-Vulnerability-Found-Adobe-Says-No-Fix-Forthcoming
http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html
http://www.foregroundsecurity.com/MyBlog/flash-origin-attack-faq.html
http://www.foregroundsecurity.com/MyBlog/adobe-responds-sort-of.html

When <object type=application/x-shockwave-flash> invokes Flash, Flash ignores the MIME type specified by the server.  This creates a XSS-like vulnerability for any site that allows file uploads, even if it restricts the files to specific mime types (e.g. images or zips), unless it uses content-disposition:attachment or an extra hostname.

This is clearly not a sane situation.  Even "static" sites generally contain images, and nobody checks to make sure their images don't contain appended swf bits.

Is there anything we can do about this, short of blocklisting Flash?  Could we stop handing <object> content to the Flash plugin unless it has the right MIME type or comes from the same site as the <object> tag?

Comment 1

[Boris Zbarsky [:bzbarsky]]

> Could we stop handing <object> content to the Flash plugin unless it has the
> right MIME type or comes from the same site as the <object> tag?

The sites in bug 395110 and bug 389677 were both cross-site loads (in one case from a video hosting site, in one case from a images.* subdomain of the same tld+1).

Comment 2

[Jorge Villalobos [:jorgev] (he/him)]

Dan, is this still worth keeping open?