Still think allowing users to upload files to your server is OK?
There has been quite a bit of buzz surrounding the newest Flash attack. Please review this site for a quick write-up. I want to make it clear this attack vector is different than a remote vulnerability in Flash. This attack is focused on an individual uploading a flash file to a server and then having it execute when a user visits the site.
Adobe has a nice write-up out lining the issue and their initial response to the problem here. I really like the write-up and the quote of a core axiom of computer security: "If you allow a bad guy to upload programs to your web site, it's not your web site anymore." That is very true.
However, in the article they re-state that the issue at hand is the Same Origin Policy issue. Mike Bailey of Foreground Security neatly breaks down where the Adobe response fails to completely address the issue here.
His point is that the scenarios where .swf files can be executed is far more pervasive then the .js counterparts that Adobe discusses.
The reason this fascinates me is that it is outside the bounds of what penetration testers would normally look for in a web application. Because this attack vector is not a remote exploit, it does not get the buzz that it deserves. The point is that when we are testing we need to look for vulnerabilities and attacks that attackers would use. This attack vector is definitely in that category. Further, this is not something that is easily fixed with a patch.
Until they do (and I don't expect this to happen any time soon) we will have a new vector to test for in our engagements.