I don't really know if this is a real risk with the current Forms API set up in Drupal or not. But I thought I'd throw it out there -
a) to present the possibility so people are at least aware of it and
b) present a possible means for reducing or eliminating it.
Flash content is becoming increasingly popular in general - this is likely to continue (future support for H264 video format etc). Some modules implement support for flash to make it easier to include flash content.
If a person with content management rights (that include the upload of arbitrary flash content) uploaded a malicious flash file, then there is a potential security risk in the following way:
The swf could be constructed to attempt to load admin config pages/forms (and do nothing if it fails, because it does not have permission). This would not be visible to anyone except via an immense surge in watchdog reports.
If it succeeded (because the swf was being viewed by a person who was logged in with full admin rights) then it can submit data, request additional forms based on standard admin paths and wreak havoc without the admin being aware of it (e.g. wild scenario: imagine if it for example, gave admin rights to a random selection of other users... revoked the current users admin rights, and where it would in turn do the same thing when the others viewed the swf...). I believe it would also be possible to pass data to a third party url from flash once it was obtained.
What do others think about this? I don't know if anything like this has ever happened in a CMS -I'm just throwing it up for discussion - and I guess the risk is low (its actually a reasonable amount of work for someone to make a swf like that) but I'm more than 90% sure its possible.
Prevention
One way to prevent it would be to check the headers in the requests - flash has some mandatory headers that identify the request as coming from flash via the browser - these could be filtered out for example for all admin paths. But for people who are using flash to submit and receive legitimate data there needs to be that possibility as well.
Comments
That is an interesting
That is an interesting hypothetical. There is of course an inherent danger in allowing untrusted users to upload swf files to your site. It is as great as allowing untrusted users to add javascript to your site. What you describe is the classic XSS (cross site scripting attack) but using flash instead of javascript (which is what most people think of when they think of xss). The same applies to java applets and activex controls.
The message to take away is that swf embed tags need to be treated with the same caution as Javascript. This means that if you want to allow users to embed YouTube videos (for example) make sure that the file being embedded is actually from youtube.com or some other trusted source (your level of trust will vary). And never use a black-list to filter user input, always use a white-list (ie: don't specify what they cannot do, but specify what they can do)
------------------------------------
Ronan - Gorton Studios - http://www.gortonstudios.com/
------------------------------------
Ronan
Founder - NodeSquirrel - https://www.nodesquirrel.com/
Agency Tools Lead - Pantheon - https://www.pantheon.io/
It would be an XSS vulnerability
Embedded flash, by default, can execute javascript if it's served from the same domain as the embedding page. If it is embedded from a remote page, it won't have any access to the javascript. (unless embed code specifies allowScriptAccess="always")
Flash would not be able to load/submit drupal forms unless it knows the session token used in the forms. It also acts like a separate browser and does not use the same session as the embedding page. Requests made by the flash object would be anonymous.