About the Author

Chris Shiflett

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

The crossdomain.xml Witch Hunt

After disclosing the security vulnerability in Flickr (a result of its crossdomain.xml policy), a number of other major web sites have been identified as being vulnerable to the same exploit: using cross-domain Ajax requests for CSRF. Among these new discoveries are YouTube and Adobe.

This is an inherent risk that exists whenever you disclose a new exploit. Because this exploit is the first of its kind, there are numerous web sites that are potentially vulnerable. I've made a sincere attempt to notify those who I know are vulnerable, but there's only so much a bit of Google searching can reveal.

Roderick Divilbiss wondered why more people aren't paying attention to this discovery:

Such a simple, yet potentially damaging vector. I am dismayed that so few people have bothered to Digg this.

Someone else mentioned that disclosing this vulnerability before Flickr had a chance to fix it would have been a better tactic for spreading the word, but added that he was glad I waited. I'm well aware of the merits of full disclosure, but I prefer to give people time. Flickr certainly didn't abuse my trust and patience; in just 12 days, a fix was in place. If everyone was this responsible, the Web would be a safer place.

For more information about the exploit, see Cross-Domain Ajax Insecurity and The Dangers of Cross-Domain Ajax with Flash.

In a Flash Player TechNote, Adobe warns about an open policy that permits all sites to send cross-domain requests:

This practice is suitable for public servers, but should not be used for sites located behind a firewall because it could permit access to protected areas. It should not be used for sites that require authentication in the form of passwords or cookies.

As written, the warning is a bit unclear. Does Adobe already know about this exploit? Here's their current crossdomain.xml policy:

<cross-domain-policy> 
    <allow-access-from domain="*"/> 
    <allow-access-from domain="*.macromedia.com" secure="false"/> 
    <allow-access-from domain="*.adobe.com" secure="false"/> 
</cross-domain-policy>

If they demonstrate the vulnerability themselves, it doesn't seem likely they're aware of it.

A relatively new site has popped up at crossdomainxml.org that lists sites with open policies. It already lists the new location of Flickr's policy, so it's pretty current.

About This Post

The crossdomain.xml Witch Hunt was posted on Mon, 02 Oct 2006 at 02:19:49 GMT.

5 Comments

1. Chris Shiflett's GravatarChris Shiflett said:

Oprah.com is vulnerable and has been notified:

http://www.oprah.com/crossdomain.xml

Mon, 02 Oct 2006 at 02:35:57 GMT Link

2. Matthew Purdon's GravatarMatthew Purdon said:

I find it really funny that this is such a big deal now. I have been using token based forms for a couple of years now simply because it is the most effective means of preventing duplicate form submissions. I keep the tokens (along with user data history) in a page and form name concatenated specific session array so that there are no collisions.

Wed, 04 Oct 2006 at 13:53:36 GMT Link

3. Chris Shiflett's GravatarChris Shiflett said:

Hi Matthew,

Thanks for the comment. I wish we were all so lucky, then this wouldn't be such a big problem. :-)

Wed, 04 Oct 2006 at 14:04:32 GMT Link

4. Chris Shiflett's GravatarChris Shiflett said:

This story is being discussed by others in the web application security community:

http://jeremiahgrossman.blogspot.co...statistics.html

http://cgisecurity.com/2006/10/07

Wed, 11 Oct 2006 at 03:33:24 GMT Link

5. Chris Shiflett's GravatarChris Shiflett said:

The same vulnerability has been discovered on Facebook and MySpace, and both sites have fixed it.

Thu, 05 Nov 2009 at 21:45:55 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

ConFoo

10 - 12 Mar 2010

At Hilton Montréal Bonaventure, Montréal, Canada.

South by Southwest

12 - 16 Mar 2010

At Austin Convention Center, Austin, Texas.

Dutch PHP Conference

10 - 12 Jun 2010

At TBD, Amsterdam, Netherlands.

O'Reilly Open Source Convention

19 - 23 Jul 2010

At Oregon Convention Center, Portland, Oregon.

New Comments

Chris Shiflett wrote:

Glad it helped, Niall!

Posted in Git on Snow Leopard
Niall Kelly wrote:

Having tried other methods without success and looked through plenty of bloated documentation, th...

Posted in Git on Snow Leopard
liukang wrote:

I have problem with this example. In my php.ini magic_quotes_gpc is off so i'm using only addsla...

Posted in addslashes() Versus mysql_real_escape_string()
RyanTheGreat wrote:

Well, I'm not Chris, but I will do my best to address the questions raised in the comments by Ian...

Posted in Security Corner: Cross-Site Request Forgeries
Chris Shiflett wrote:

Thanks for the kind words, Simon. I'm glad you liked the tutorial. In case it's helpful, here'...

Posted in Webstock

Browse Comments

Work and Books

Analog Essential PHP Security HTTP Developer's Handbook