Boardmad

Sigh…here’s the reason I hate flash ! Got into a huge scrap at work with a colleague arguing our customer-facing offering needed to be Web2.0 and RIA and that flash was the way to go as AJAX wasn’t ubiquitous yet etc etc and I politely pointed out that I personally, on all the browsers I use at home, block flash content.

And here’s why and here’s the original PoC code. Nice bundled-up, serialised SOAP call over an embedded flash object using an XSS (Cross-Site Scripting) vulnerability and UPnP (Universal Plug n Play - it makes those tricky little apps like MSN Messenger and Skype slip through your hardware and software firewalls like a hot knife through butter).

So the ongoing rule is learn to use your hardware properly and configure ONLY those ports on your firewalls that you really, really, really, REALLY need open and go home this evening and make sure UPnP is disabled on your router.

You have been warned…again !