General help

swf filter security

 
Picture of Jez H
swf filter security
Particularly helpful MoodlersPlugin developers
Hello All,

In:

Admin / Modules / Filters / Multimedia Plugin

The "Enable SWF Filter" is set to no by default. The label reads:

"As a default security measure, normal users should not be allowed to embed swf flash files."

Can anybody tell me why this is i.e. why flash files are considered a security risk?

Thanks, Jeremy
 
Average of ratings: -
Matt Bury
Re: swf filter security
Particularly helpful MoodlersPlugin developers
Hi Jez,

A good question.

By default Moodle stores all course data in the moodledata directory which is not in the HTTP root, and uses a PHP proxy script to retrieve the data to serve to users. Normally, Flash Player checks URLs to make sure that they're either from the same domain, i.e. http://yourserver.com/ or that they're from a trusted server that has an XML cross-domain policy file on it.

Having a PHP proxy script circumvents these security measures and leaves your server and databases open to all kinds of horrific abuses and attacks by hackers. The advice should be more clear about this and it should provide links to the latest security information and updates from Adobe.com. At the moment, you have to go and find the information for yourself and know, specifically, where to look:

http://www.adobe.com/devnet/flashplayer/security.html

If you have SWFs, <object> and <embed> tags and allow users to upload and embed SWFs, you're leaving your site security wide open!

I hope this answers your question.
 
Average of ratings: -
Picture of John White
Re: swf filter security
 
Matt,

How about giving us a shot at current best practice, so that we can use Flash in Moodle
and all still sleep at night.

Regards,

John
 
Average of ratings: -
Matt Bury
Re: swf filter security
Particularly helpful MoodlersPlugin developers
Hi John,

The best place to look at Flash security is on the Adobe.com website. They have loads of fantastic resources, videos, downloads, tutorials, etc. all made by the leading educators for Flash and Actionscript. What you can't find there isn't really that important.

The link in the above post will take yo to the main Flash Player Security page in the Actionscript developer center.
 
Average of ratings: -
Picture of Mauno Korpelainen
Re: swf filter security
 

Matt,

thanks for the link - it has great articles from the flash side.

Isn't the best practice in moodle side simply to keep that "Enable SWF Filter" setting set to no by default? Like the label reads:

"As a default security measure, normal users should not be allowed to embed swf flash files." These "normal users" are students who often want to test server security with different kinds of cute swf files from game sites that very often are also spam sites.

Another good rule is to use only such swf that you or some person/company you trust has created from a .fla file where you can check all action scripts. From the same reason embedding php scripts by "normal users" is not allowed either...

Edit: some more info about why swf's can be security risk is also in
http://www.adobe.com/support/security/  and for example http://www.adobe.com/support/security/bulletins/apsb07-20.html 

 
Average of ratings: Useful (1)
Matt Bury
Re: swf filter security
Particularly helpful MoodlersPlugin developers
Nicely said Mauno, and some good links for people who aren't familiar with Flash security. smile
 
Average of ratings: -
Picture of Jez H
Re: swf filter security
Particularly helpful MoodlersPlugin developers
Hello Mauno,

Would "normal users" not also be teachers?

I do not want to allow students to upload / embed flash, but do want teachers to do be able to do it.

In our case there is absolutely now we we can validate action script for each file we use. Either we allow teachers to do this or we don't.... which is what I am trying to decide!

Regards, Jeremy


 
Average of ratings: -
Picture of Mauno Korpelainen
Re: swf filter security
 

I'm not even sure if this filter works as it should - I have always had it disabled and teachers can still embed flash to for example labels but not to such activities that are controlled by weblib.php and allowed tags.

If you visit http://korpelainen.net/test19 (editor demo/test site) as teacher2 (password the same) you can see a flash button in fck editor and can embed flash using this button to labels or html blocks. Tinymce has a similar media plugin for adding other type of media too. From forums, user profile etc. moodle strips flash tags away. If you login as "student" (password "student") you have the same editor but that button does not even exist + you don't have access to such parts of moodle that allow embedding flash (weblib takes care of that).

The only problem is roles - if you allow students/unknown persons to use teacher role (as I have allowed in this demo course) or even worse admin role you take a security risk - check the links from my previous post. This demo site is on my test server and I can rebuild it if something unexpected happens but in common you should allow only such people that know what they are doing to add what ever scripts...

It is also possible to use links to sites using flash or use iframes or...

 
Average of ratings: Useful (1)
Picture of Jez H
Re: swf filter security
Particularly helpful MoodlersPlugin developers
Hi Matt,

Are you saying that <object> and <embed> are only an issue if you also allow the flash filter?

Can we safely choose "either or" with regards to allowing <embed> and SWF uploads.

Also, you say that server attacks are possible, but I did not find anything relating to this in the Adobe docs. A colleague told me there was a buffer overflow in one of the older releases of flash, but, as the file executes in the player, on the client, I don't see how this could compromise the server. Do you have any specific links on this issue?

Thanks, Jeremy


 
Average of ratings: -
Picture of Mauno Korpelainen
Re: swf filter security
 

Some other links - for example:

http://secunia.com/advisories/28083/
http://secunia.com/advisories/30404/

http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue.html

Similar vulnerabilities can be found from most programs - we just don't know it untill somebody notices the weak parts of code.

 
Average of ratings: -
Picture of Jez H
Re: swf filter security
Particularly helpful MoodlersPlugin developers
Hi Mauno,

Thanks for the links, this is what I had been told about by a colleague, but are not what Matt was talking about.

These links refer to vulnerabilities on the client, essentially they seem to be XSS attacks.

Matt says there is a Flash exploit that could allow a server to be compromised, I have never heard of this... and don't understand how this is possible. Our Linux server just serves the SWF, it does not execute it... that is done in the clients player.

If anyone has more info on this I would be grateful, as, there is a big difference between a client side "XSS type" attack and losing control of a server!!

Thanks, Jeremy
 
Average of ratings: -
Picture of D Licious
Re: swf filter security
 
Just to be sure,

It is OK to enable the SWF filter, but it is important to disallow the embed and object tags? Or do they both have to be set to no?



 
Average of ratings: -
wen photo
Re: swf filter security
Core developers
I ran across this thread by accident (kinda old, but a lot of great info!). Anyone has any feedback about the question D Licious posted? Thanks! smile
 
Average of ratings: -
Picture of Mauno Korpelainen
Re: swf filter security
 

The best practise is to keep them both disabled

http://docs.moodle.org/en/Security_overview

The latest vulnerability in flash player was reported February 24, 2009  http://www.adobe.com/support/security/bulletins/apsb09-01.html

 
Average of ratings: -