search

jhuckaby / webcamjs

HTML5 Webcam Image Capture Library with Flash Fallback
MIT License
2.5k stars 1.11k forks source link

webcam.swf's allowDomain * detected as potential vulnerability #324

Open ywarnier opened 3 years ago

ywarnier commented 3 years ago

A security scan reported that webcam.swf contains a wildcard in the allowDomain method, which is considered insecure.

Impact
Very relaxed cross-domain permissions may enable attacker to perform spoofing and data theft attacks.
Solution
The recommendation is to use more restrictive wildcards to grant cross-domain permissions only to domains and sub domains that are really trusted. For more details on Security.allowDomain plese see the help document by Adobe: http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/system/Security.html

I'm not sure whether the right solution is to offer a configuration setting somewhere that the SWF can load, or whether webcam.swf should simply be removed (after all, Flash is unmaintained and thus is not considered safe in general anymore), but I wanted to make sure you are aware of the potential issue.

jtboing commented 3 years ago

Any updates on this? I've found the same thing as well when scanning vulnerability.