COMMAND

	Macromedia Flash plugin can read local files

SYSTEMS AFFECTED

	Tested on Flash Player 6 in Internet Explorer 6

PROBLEM

	

	     .---.        .----------

	     /     \  __  /    ------

	    / /     \(  )/    -----

	   //////   ' \/ `   ---

	  //// / // :    : ---

	 // /   /  /`    '--

	//          //..\\

	       ====UU====UU====

	           '//||\\`   Jelmer [jelmer@kuperus.xs4all.nl] says :

	

	There is a bug in  Macromedia  Flash  Player  that  allows  reading  and
	sending of local files
	

	This can be achieved in three ways.
	

	1. force a http redirect to a local file

	2. place a <base href="file:///C:/"> in the document then use a relative url

	3. embed the flash object in a web archive (mht file) and make it seem as

	though its been saved from a location on the users hard drive, then use a

	relative url.

	

	 Example :

	 =========

	

	Demonstrations of the issue's described are available at :
	

	1. redirect issue
	

	http://kuperus.xs4all.nl/flash.htm

	

	2. base tag
	

	http://www.xs4all.nl/~jkuperus/flash.htm

	

	3. mht file embedding
	

	http://www.xs4all.nl/~jkuperus/flash.mht

	

	It reads and displays the contents of c:\jelmer.txt
	

	The exploits use the Macromedia Flash xml object,  first  introduced  in
	Macromedia Flash Player 5 to read the local files.
	

	There may be other ways to achieve the same effect.

SOLUTION

	Update to the latest player (6,0,47,0). It should be available at
	

	http://www.macromedia.com/go/getflashplayer/

	

	

	References :
	

	http://www.netmag.co.uk/ie5/save-page.htm

	http://www.wdvl.com/Authoring/HTML/Head/base.html

	http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3

	http://www.macromedia.com/support/flash/action_scripts/objects/xml_object.html

	http://www.macromedia.com/software/player_census/flashplayer/version_penetration.html