About the Author

Chris Shiflett

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

The crossdomain.xml Witch Hunt

After disclosing the security vulnerability in Flickr (a result of its crossdomain.xml policy), a number of other major web sites have been identified as being vulnerable to the same exploit - using cross-domain Ajax requests for CSRF. Among these new discoveries are YouTube, Adobe, and MusicBrainz.

This is an inherent risk that exists whenever disclosing a new exploit. Because this exploit is the first of its kind, there are numerous web sites that are potentially vulnerable. I've made a sincere attempt to notify those who I know are vulnerable, but there's only so much a simple Google query and similar discovery techniques can reveal.

Roderick Divilbiss wondered why more people aren't paying attention to this discovery:

Such a simple, yet potentially damaging vector. I am dismayed that so few people have bothered to Digg this.

Someone else mentioned that disclosing this vulnerability before Flickr had a chance to fix it would have been a better tactic for spreading the word, but added that he was glad I waited. I'm well aware of the merits of full disclosure, but I prefer to give people time. Flickr certainly didn't abuse my trust and patience - in just 12 days, a fix was in place. If everyone was this responsible, the Web would be a safer place.

Note: For more information about the exploit, see Cross-Domain Ajax Insecurity and The Dangers of Cross-Domain Ajax with Flash.

In a Flash Player TechNote, Adobe warns about an open policy that permits all sites to send cross-domain requests:

This practice is suitable for public servers, but should not be used for sites located behind a firewall because it could permit access to protected areas. It should not be used for sites that require authentication in the form of passwords or cookies.

As written, the warning is a bit unclear. Does Adobe already know about this exploit? Here's their current crossdomain.xml policy:

<cross-domain-policy> 
    <allow-access-from domain="*"/> 
    <allow-access-from domain="*.macromedia.com" secure="false"/> 
    <allow-access-from domain="*.adobe.com" secure="false"/> 
</cross-domain-policy>

A relatively new site has popped up at crossdomainxml.org, listing sites with open policies. This site already lists the new location of Flickr's policy, so it is current.

About This Post

The crossdomain.xml Witch Hunt was posted on Mon, 02 Oct 2006 at 02:19:49 GMT.

4 Comments

1. Chris Shiflett's GravatarChris Shiflett said:

Oprah.com is vulnerable and has been notified:

http://www.oprah.com/crossdomain.xml

Mon, 02 Oct 2006 at 02:35:57 GMT Link

2. Matthew Purdon's GravatarMatthew Purdon said:

I find it really funny that this is such a big deal now. I have been using token based forms for a couple of years now simply because it is the most effective means of preventing duplicate form submissions. I keep the tokens (along with user data history) in a page and form name concatenated specific session array so that there are no collisions.

Wed, 04 Oct 2006 at 13:53:36 GMT Link

3. Chris Shiflett's GravatarChris Shiflett said:

Hi Matthew,

Thanks for the comment. I wish we were all so lucky, then this wouldn't be such a big problem. :-)

Wed, 04 Oct 2006 at 14:04:32 GMT Link

4. Chris Shiflett's GravatarChris Shiflett said:

This story is being discussed by others in the web application security community:

http://jeremiahgrossman.blogspot.co...statistics.html

http://cgisecurity.com/2006/10/07

Wed, 11 Oct 2006 at 03:33:24 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

O'Reilly Open Source Convention

21 - 25 Jul 2008

At Oregon Convention Center, Portland, Oregon.

ZendCon

15 - 18 Sep 2008

In Santa Clara, California.

PHP Appalachia

11 - 14 Oct 2008

At Big Bear Lodge, Gatlinburg, Tennessee.

New Comments

Ash Searle wrote:

It might be worth changing your example code from using htmlentities to htmlspecialchars. Runn...

Posted in Allowing HTML and Preventing XSS
Chris Shiflett wrote:

Hi Steve, According to the NYT Manual of Style and Usage, it's push-up: Most but not all co...

Posted in Miscellaneous
steve wrote:

so, is it push up, pushup or push-up? just curious... --steve --www.hundredpushups.com

Posted in Miscellaneous
Walter Lawless wrote:

It's sad to think that even now, nearly 4 years after this was originally written, that there are...

Posted in
Asanka Dewage wrote:

I've been a Mac user for over a year now and I didn't know about the [say] command! What a nifty ...

Posted in Miscellaneous

Browse Comments