When a Flash file is loaded in Mozilla Firefox from within the 'view-source:' protocol handler, the Adobe Flash plugin miscalculates the origin of the content. To the plugin, it appears the content was loaded from the local file system.
This introduces two specific security weaknesses:
In Mozilla Firefox, it isn't normally possible to render content using the 'view-source:' pseudo protocol handler. However, by providing the content as a valid JAR file, the 'jar:' handler can be used to load a file as HTML from within the context of 'view-source:'. Once the file is treated as HTML, it is then simply a matter of including the desired Flash content within the JAR file and referencing it.
This sequence would appear as:
jar:view-source:http://example.com/foo.jar!/foo.html
where 'foo.jar' would contain:
The 'foo.html' file would include 'foo.swf' within an embed tag and the Flash content would be loaded with a root path of 'view-source:http://example.com/foo.jar!/foo.swf'.
The Flash security policy restricts objects from accessing third-party web content unless the third-party site opts in via a 'crossdomain.xml' file. For content that is loaded from the local file system, no network access is allowed unless a user specifically allows it by adding a security exception. But, by default, local Flash objects can load any other local file system content.
Since Flash incorrectly believes the 'view-source:' content has been loaded from local file system, access to local file contents could be possible. But, this doesn't appear to be possible in reality. Although the Flash plugin potentially allows it, the Firefox security manager prevents access.
However, this leads one to the question if there isn't some intersection of the two security policies that would allow access to normally restricted data. Simple experimentation reveals that Flash also treats any web content requests that utilize the 'view-source:' protocol as belonging to the local file system.
Because Flash believes that any content loaded from 'view-source:' originated on the local machine, the Flash standard network security policy is not applied. The standard 'crossdomain.xml' file is not consulted. Mozilla Firefox allows access to the third-party data because both sets of content originate on the network.
As a result, Flash content can request web content from arbitrary third-party sites. These web requests include any cookies that the third-party site may have set. If the user currently has an active session with the site, this behavior can lead to exposure of personal information or facilitate cross-site request forgery (CSRF) attacks.
Steps to reproduce the issue:
Download the jar file containing HTML pages and source directly: getcontent.jar.
When a Flash object is loaded from within the 'view-source:' protocol, the content is created within the context of the 'technicalattack.netfirmsmysql.com' hostname. This allows for the creation of Local Shared Object (LSO) that appears to originate from the localhost.
Because any Flash plugins loaded from view-source: content is created within the 'technicalattack.netfirmsmysql.com' context, arbitrary third-party sites can read and write shared local settings. The controls restricting third-party site content (if enabled) are effectively bypassed.
Additionally, the local networking restrictions can be circumvented by resubmitting the content using a 'view-source:' URL. Coordinating third-party sites can read and write locally shared objects as well as post the information back. In this way, a complete privacy compromise and user tracking is possible.
Steps to reproduce the issue:
Download the jar file containing HTML pages and source directly: logdata.jar.