I have a developer who has given users the ability to download a zip archive that contains an HTML document which is a relative Javascript references the file and the Flash document, the Flash document considers one parameter from a URL that is embedded in the HTML document. I believe this collection is meant to be used as a means of transferring an advertisement, which will use the source to display on its site, though the end user locally wants to see it.
> When a HTML document opens, a flash document is presented and when the user clicks on a flash document, it redirects to this embedded URL. However, if someone removes the archive on the desktop and opens the HTML document in the browser and clicks on the Flash object, then nothing is observed, they will not be redirected to the external URL.I believe this is a security risk because a local computer is moving from one area to an external area.
I am trying to determine the best way to explain this security risk in the simplest way in a very end-user's words. They simply believe that this is broken when it is not broken, then they are being protected from a known vulnerability.
Developers tried to copy files into a local IIS example, which I suspect is that the user is running on the machine, and I do not consider it a viable explanation.
T seems to be an issue. Being able to move in the opposite direction, this is the initial script from a remote area to a local area called "". In fact, most uses cross-zone scripting to obtain remote code execution.
If you see that you can see it less restrictive that when it comes to reaching remote resources, I can not think of the scenario in which it will be valuable for the attacker. Especially when others compare the locally run code, such as executables written in C ++
Comments
Post a Comment