Allowing Flash by default is a bad idea

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Anti-Spam Guide
Post Reply
DelvarWorld
Registered User
Posts: 203
Joined: Thu Sep 04, 2003 10:56 pm
Location: noplarbp

Allowing Flash by default is a bad idea

Post by DelvarWorld »

I would even venture to say that it's a terrible idea. If you want phpbb 3 to be as user friendly and secure as possible, make Flash disabled by default for "Standard" access when setting up permissions. Newer users might overlook this option and allow Flash to all users.

I honestly found it a big hassle while installing RC1 to have to manually edit every single permission on every single forum to remove the Flash option for standard users. Allowing Flash videos seems like a potential disaster area waiting to happen.

Scenario 1: A user posts in a thread with many pages, waits a few days then edits his post with a 1x1 pixel flash movie that has a looping offensive sound. It will take a while to track down the problem since the source of the problem isn't visible at a glance. Allowing Flash by default allows users to post any kind of audio they want onto any page of your forum.

Scenario 2: A user posts a Flash movie with an auto-redirect. Maybe it's a spam posting a redirect to a spam site (A spammer can guarantee your site gets ACTUAL hits? That's a PERFECT incentive for site spam!). Maybe it's a redirect to a porn site to annoy admins. The main problem is that you need to view a thread to delete it. If there's an instant redirect then an admin wont have time to hit the delete button inside the thread. If an admin doesn't know how to make his browser stop displaying Flash then you can't delete the thread without going into the database!

Which leads us to our third option:

Scenario 3: A scammer posts a 1x1 Flash movie that has an instant auto-redirect to a phishing site. The site looks exactly like the forum except it's hosted on the scammer's webspace. Phishing site asks user to log in with name and password. User says "ok, maybe my cookie expired or something." User logs in, gives pass to scammer. Site redirects back to forum, user never notices a change. Boom: account hijacked. Boom: moderator account stolen. Boom: a stupid admin just gave up the entire forum.

The third is exactly what happened to Myspace: http://chaseandsam.com/2006/07/myspace- ... dfire.html (among hundreds of other security holes). A flash redirect stole hundreds of account login information. Certainly phpbb 3 is more secure than the black hole of stupidness that is Myspace, right?

How plausible are these possibilities? 100% guarantee they will happen if Flash is left on by default. Do you know how easy it is to create a redirecting Flash movie? It's just one line of code, compile, upload, done.


It seems like the main reason that a Flash tag was included was to allow for Google and YouTube video embeds. phpBB 2 already had a Flash embed feature, which was allowing HTML for admins (and maybe mods). That worked great because usually only Admins could post HTML, and admins are the only ones who should be allowed to embed SWF files. Now, if I were on the design team, I would 100% include YouTube and Google Video BBcode tags by default. It is my estimate that quickreply and YouTube embed mods are the most commonly used mods in phpBB forums. It looks like the Flash tag was added for that very reason, but that's a huge no-no in terms of security. If you really want to please the users by allowing Flash embeds, then make default Google and YouTube tags. There is no security problem with that. You could even make it an extension of the Flash tag, like [Flash=youtube]youtubeID[/Flash]. I'm sure that users would be ecstatic for those tags by default. The perfect solution would be a video tag generator panel in the ACP so that an admin can just put in the syntax of a movie site's URL and it will format new BBcode automatically, but I'm getting ahead of myself.

And that's all I have to say about that.

On a related note, still no quickreply in the default instillation? Come on guys, I can't name a single forum that I frequent (and there are quite a few) that doesn't have a quickreply mod. What possible reason could you have for not including this? (or am I missing it maybe?)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
ckwalsh
Former Team Member
Posts: 1837
Joined: Wed Mar 15, 2006 1:50 am
Location: Seattle, USA
Name: Cullen Walsh
Contact:

Re: Allowing Flash by default is a bad idea

Post by ckwalsh »

Your examples wish fishing sites (i believe) cannot happen, since in the bbcode the AllowScriptAccess value is set to never. That should prevent the movie from interacting with the browser at all.
Where to post what | Forum Rules | The Dos and Don'ts of General Discussion
In Seattle and want to meet, chat, or have a coffee? Drop me a PM.
DelvarWorld
Registered User
Posts: 203
Joined: Thu Sep 04, 2003 10:56 pm
Location: noplarbp

Re: Allowing Flash by default is a bad idea

Post by DelvarWorld »

Flash runs independant of the site it's on. The Flash player controls URL access, not the site. I also know it works because I tried it on this forum and another and got warned for it :evil:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
ckwalsh
Former Team Member
Posts: 1837
Joined: Wed Mar 15, 2006 1:50 am
Location: Seattle, USA
Name: Cullen Walsh
Contact:

Re: Allowing Flash by default is a bad idea

Post by ckwalsh »

Read This.

Since the getURL function is what redirects and that should be disabled, I can't see how this could work.
Where to post what | Forum Rules | The Dos and Don'ts of General Discussion
In Seattle and want to meet, chat, or have a coffee? Drop me a PM.
DelvarWorld
Registered User
Posts: 203
Joined: Thu Sep 04, 2003 10:56 pm
Location: noplarbp

Re: Allowing Flash by default is a bad idea

Post by DelvarWorld »

Well let's give it a test then shall we?

This button should under NO circumstances take you to google.com



And yup, it does! Looks like the allowscriptaccess value isn't doing anything. Maybe it's a doctype issue? Either way, who's up for some phishing? :D
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
User avatar
Eelke
QA Team
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: Allowing Flash by default is a bad idea

Post by Eelke »

Was this reported to the security tracker? That would seem the most appropriate channel for this.
arod-1
Registered User
Posts: 1327
Joined: Mon Sep 20, 2004 1:33 pm

Re: Allowing Flash by default is a bad idea

Post by arod-1 »

Brainy wrote:Read This.

Since the getURL function is what redirects and that should be disabled, I can't see how this could work.
according to the link you posted, this parameter is only used above certain player version.
this means it's a potential security hole for viewers who use earlier versions of the player.
adobe documentation wrote:This feature requires Flash Player 6,0,40,0 or later.
.......
AllowScriptAccess can have two possible values: "always" and "never":
.......
Note: Earlier versions of the player will ignore this parameter, generally behaving as though AllowScriptAccess were set to "always".
standard disclaimer:
backup your db and files before you do anything.
absolutely no guarantee.
if you do what i advise and it blows in your face, all you'll hear from me is: "ah... sorry, i guess"
Post Reply

Return to “phpBB Discussion”