Hey,
Are people able to view the backend ASC files somehow????
I don't know how this guy would have known the parameters to send to my
"kick user off" function since I'm sending them all as an object.
Thanks!
Chris
-----Original Message-----
From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@xxxxxxxxxxxxxxxx
[mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@xxxxxxxxxxxxxxxx] On
Behalf Of Stefan
Richter
Sent: Monday, January 31, 2005 3:31 PM
To: 'FlashComm Mailing List'
Subject: RE: [FlashComm] Somebody hacked my FCS app
David,
those dll's (I presume you mean things like ISAPI_rewrite) did not seem
to
work reliably when I tested them. I used Win 2000 Server, IIS on the
server
and IE and Firefox as browsers. I never managed to shut everyone out.
The
solution works great with images but not so good with swfs.
Stefan
-----Original Message-----
From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@xxxxxxxxxxxxxxxx
[mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@xxxxxxxxxxxxxxxx] On
Behalf Of David
Simmons
Sent: 31 January 2005 19:35
To: FlashComm Mailing List
Subject: RE: [FlashComm] Somebody hacked my FCS app
FWIW, there was a long thread on this list back on November 16th to 18th
entitled "Urgent Security Issue!!" about "hot linking", or having
someone
else's web page point to your SWF.
This can be controlled by the web browser, using Apache .htaccess or
some
various add-on DLLs for Windows. Do a web search on "hot linking" and
you'll find tons of references - it's a common issue with stealing
graphics.
It's really a web server issue, as that's letting someone get your swf
who
shouldn't have it. FWIW, future versions of Flash may have some help
here,
but that doesn't solve your immediate problem.
- Dave
-----Original Message-----
From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@xxxxxxxxxxxxxxxx
[mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@xxxxxxxxxxxxxxxx] On
Behalf Of Harper,
Chris
Sent: Monday, January 31, 2005 10:59 AM
To: FlashComm Mailing List
Subject: RE: [FlashComm] Somebody hacked my FCS app
Thanks Jake,
I will look into that. I also found this:
http://www.flashcomguru.com/tutorials/fcs_security.cfm
Like I said, I'm already checking the referrer on the server side but
has
there been anymore done with getting the *actual* referrer of somebody
who
would just be pointing their object tag to the .swf on our domain?
-----Original Message-----
From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@xxxxxxxxxxxxxxxx
[mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@xxxxxxxxxxxxxxxx] On
Behalf Of Jake
Hilton
Sent: Monday, January 31, 2005 12:38 PM
To: flashcomm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@xxxxxxxxxxxxxxxx
Subject: Re: [FlashComm] Somebody hacked my FCS app
Chris,
It is easy to "cloak" or mask referrers. If you have a separate app that
handles kicking people off I'd have some sort of handshaking go on with
the
server and that admin piece. That way you can make sure they are using
your
admin for the kicking. Just and idea.
Jake
>>> Chris.Harper-OaAI/70wYEY@xxxxxxxxxxxxxxxx 1/31/2005 9:51:52 AM >>>
Hey everybody,
Kinda have a problem with morning. Customer Care told me somebody
somehow
found the ability to kick people out of my chat rooms. I have a
separate
tool for this that's in our intranet and there isn't even code to do it
in
the rooms. There is code on the client side to kick that user off if
they
get a message from the server. I'm wondering if somebody found a way to
decompile and recreate their own tool using my chat room but the only
problem with that is that I check the referrers on the server side of
FCS to
make sure they are coming from one of our domains. So if they had
created
their own tool they'd be running it off their own desktop or hosting it
on
their own computer. I don't know, is there a way to cloak referrers?
Here
is the code to kick somebody off on the client side:
chat_nc.close_connect = function(msg) {
kicked_off = "yes";
error_message = msg;
chat_nc.close();
lobby_nc.close();
}
Are there any known security holes in FCS? Any help would be
appreciated!
Chris
=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
=---------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=---------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
|
