# flash not in submit menu



## Nanakisan (Nov 13, 2009)

*flash not in submit menu (please close)*

Please close this


----------



## Wolfbane (Nov 13, 2009)

Yes I noticed this. I am going to go out on a limb and presume its been intentionally *temporarily?* dispatched with on account of this: http://forums.furaffinity.net/showthread.php?p=1346330#post1346330


----------



## net-cat (Nov 13, 2009)

Flash has been temporarily disabled due to the security issues it presents. It will be reenabled when we have come up with a workaround.


----------



## Nanakisan (Nov 13, 2009)

ahh very understandable....lets see thats 2 features that FA will now never see again.


----------



## TakeWalker (Nov 13, 2009)

Yes, unfortunately flash subs now have a little "flash has been disabled" thumbnail instead.


----------



## Nanakisan (Nov 13, 2009)

well this thread has out lived itself woudl a mod or admin be kind enough to close this so no drama insues.


----------



## Tobias_foxfire (Nov 13, 2009)

Security issues? I do not understand. Please explain?


----------



## saviliana (Nov 13, 2009)

Tobias_foxfire said:


> Security issues? I do not understand. Please explain?


 They said it was a flash bug with cookies,don't know what happens.


----------



## Tobias_foxfire (Nov 13, 2009)

saviliana said:


> They said it was a flash bug with cookies,don't know what happens.




*blinks* odd, I've never had any issues over here with watching flashes


----------



## Stratelier (Nov 13, 2009)

Tobias_foxfire said:


> Security issues? I do not understand. Please explain?


I only took a cursory glance at the articles, but the gist of it appears to be:

Flash scripts have access to any and all cookies (including login / password cookies) set by whatever server they were uploaded to.  This is not so much a bug as something that people never fully realized the security implications of until recently.


----------



## Tobias_foxfire (Nov 13, 2009)

Stratadrake said:


> I only took a cursory glance at the articles, but the gist of it appears to be:
> 
> Flash scripts have access to any and all cookies (including login / password cookies) set by whatever server they were uploaded to.  This is not so much a bug as something that people never fully realized the security implications of until recently.




<.< That doesn't seem like something very hard to control. Flash getting access to cookies? Seriously wtf?


----------



## chubbyhusky (Nov 13, 2009)

Stratadrake said:


> I only took a cursory glance at the articles, but the gist of it appears to be:
> 
> Flash scripts have access to any and all cookies (including login / password cookies) set by whatever server they were uploaded to.  This is not so much a bug as something that people never fully realized the security implications of until recently.



so if there uploaded to FA wouldn't someone have to hack FA's server to get those cookies with that info? If they could do that is this cookie problem really the issue at that point?


----------



## Tobias_foxfire (Nov 13, 2009)

chubbyhusky said:


> so if there uploaded to FA wouldn't someone have to hack FA's server to get those cookies with that info? If they could do that is this cookie problem really the issue at that point?




Hackers should die >.< All they do is cause problems regardless of the issue.


----------



## Ash-Fox (Nov 13, 2009)

Tobias_foxfire said:


> Hackers should die >.< All they do is cause problems regardless of the issue.


I was in a really pissed off mood today, sorry.


----------



## Tobias_foxfire (Nov 13, 2009)

Ash-Fox said:


> I was in a really pissed off mood today, sorry.




I really hope you are not serious   >.>


----------



## ArielMT (Nov 13, 2009)

Nanakisan said:


> ahh very understandable....lets see thats 2 features that FA will now never see again.



Since this feature is in fairly high demand across the entire 'Net, not just on FA, I can't imagine the admins mainside would even think of sitting on this one, not that they'd be just sitting on any fixes at all.

Yak's notice on the Site Status board: November 13: Flash support temorarily removed, users logged out.

News article outlining the vulnerability FA visitors were just saved from: http://www.computerworld.com/s/arti...puts_most_sites_users_at_risk_say_researchers

For the more technically inclined, coverage at the Internet Storm Center: http://isc.sans.org/diary.html?storyid=7585


----------



## Ash-Fox (Nov 13, 2009)

Tobias_foxfire said:


> I really hope you are not serious   >.>


I am. I got into a messed up state of mind.

If you'd like to know the specifics:

I hadn't slept the past three days, to the point that I've gone and made an appointment with the local surgery here to see if I can get something (appointment is in a few hours time). I've had a company go bust on me and take a huge amount of money I invested in getting something produced which was going to start my business stuff [self employed] - from this I was already feeling quite down.

Then something randomly at the back of my head went "oh crap, myspace, facebook, fa etc. must be vulnerable to X" while messing with something in flash. I tell a local group of techies about a potential issue and they blow me off claiming it's not possible which pisses me off enough to do a practical application to prove them wrong including explaining how it works in detail.

Then I get a note from Yak and I only /then/ realize what an idiot I am. I'm pissed off with myself and no, I don't think this is justified action in any way. It was wrong, plain and simple.


----------



## Tobias_foxfire (Nov 13, 2009)

ArielMT said:


> Since this feature is in fairly high demand across the entire 'Net, not just on FA, I can't imagine the admins mainside would even think of sitting on this one, not that they'd be just sitting on any fixes at all.
> 
> Yak's notice on the Site Status board: November 13: Flash support temorarily removed, users logged out.
> 
> ...



Fuck me, I'm gonna have to lock out my internet connection every time I open up a damn flash from my hard drive. FUCK you hackers, you should all get ran over with a car. >.<


----------



## Nanakisan (Nov 13, 2009)

and again i raise the request to please have this closed before more drama insues.


----------



## Tobias_foxfire (Nov 13, 2009)

Nanakisan said:


> and again i raise the request to please have this closed before more drama insues.




If you dislike drama so much why even bother posting here? On another note I suggest that everyone clear out all their cookies and reset any/all passwords to any websites they have used.


----------



## Stratelier (Nov 13, 2009)

chubbyhusky said:


> so if there uploaded to FA wouldn't someone have to hack FA's server to get those cookies with that info? If they could do that is this cookie problem really the issue at that point?


No, cookies are stored in the user's browser, on their computer.  For example, if a hacker is able to fetch your login cookies then they could -- in theory -- do anything to your account that doesn't require password verification (and pray that those cookies don't contain _actual passwords_....) .



			
				http://isc.sans.org/diary.html?storyid=7585 said:
			
		

> The basic policy for [Flash] Actionscript is very close to the Javascript same-origin policy: A Flash object can only access content from the domain it originated from....  The important difference is that ... a flash object does not need to be injected into a web page to execute-- simply loading the content is enough.
> ...
> If I can get a Flash object onto your server, I can execute scripts in the context of your domain.
> 
> To be sure, any server that allows unvalidated uploads of contents will let an attacker upload html pages with cross-site scripting or other attacks, but SWF files do not require a .swf extension or special content-type headers to execute ... ZIP archives, self-extracting executables, Microsoft Office Open XML documents, XPI files ... can all be crafted to contain executable SWFs.


----------



## Ash-Fox (Nov 13, 2009)

Stratadrake said:


> The basic policy for [Flash] Actionscript is very close to the Javascript same-origin policy: A Flash object can only access content from the domain it originated from....


This is not entirely true. With my tests, I found that if a website has actually embedded the flash content into it, it is also capable of reading cookies that, that page is able to access, not only the domain that actual 'swf' file is located at.


----------



## Tobias_foxfire (Nov 13, 2009)

Ash-Fox said:


> This is not entirely true. With my tests, I found that if a website has actually embedded the flash content into it, it is also capable of reading cookies that, that page is able to access, not only the domain that actual 'swf' file is located at.




Why can't people just leave other people's websites alone? >.<


----------



## SnowFox (Nov 13, 2009)

Tobias_foxfire said:


> Why can't people just leave other people's websites alone? >.<



Why can't people just stop making insecure software? >.<


----------



## Tobias_foxfire (Nov 13, 2009)

SnowFox said:


> Why can't people just stop making insecure software? >.<




Will you just shush please?


----------



## Ben (Nov 13, 2009)

Oh hey, I was wondering when FA was going to catch onto this. Only been four years, but hey!


----------



## whiteskunk (Nov 13, 2009)

Darn it! Just when I was going to share (in my scraps folder) one of my amv entries for Sakura-Con.


----------



## Aurali (Nov 13, 2009)

If you guys haven't figured it out, I know a workaround


----------



## Dragoneer (Nov 13, 2009)

Aurali said:


> If you guys haven't figured it out, I know a workaround


It'll be fixed in a few days. We've already implemented part of the fix as of today, it just needs some time.


----------



## Aurali (Nov 13, 2009)

Dragoneer said:


> It'll be fixed in a few days. We've already implemented part of the fix as of today, it just needs some time.



awrr.. you guys are doing it the hard way


----------



## Tobias_foxfire (Nov 13, 2009)

Aurali said:


> awrr.. you guys are doing it the hard way




Dude, don't be a know-it-all. It's annoying and not your job. Good job guys hope to see flash back in action.


----------



## Aurali (Nov 13, 2009)

Tobias_foxfire said:


> Dude, don't be a know-it-all. It's annoying and not your job. Good job guys hope to see flash back in action.



They know I mean no harm sweetheart.


----------



## Tobias_foxfire (Nov 13, 2009)

Aurali said:


> They know I mean no harm sweetheart.



*blinks* don't call me a sweetheart... >.>


----------



## TakeWalker (Nov 13, 2009)

My only question now is, how does this problem affect us from other websites, and how do we avoid the consequences? D: I mean, maybe one other website I go to has logged me out in the past week.


----------



## Aurali (Nov 13, 2009)

TakeWalker said:


> My only question now is, how does this problem affect us from other websites, and how do we avoid the consequences? D: I mean, maybe one other website I go to has logged me out in the past week.



any website that allows flash uploads has this risk, the only ways to fix it (that I know of) are to host on a separate domain or build a flash parser.


----------



## Tobias_foxfire (Nov 14, 2009)

Aurali said:


> any website that allows flash uploads has this risk, the only ways to fix it (that I know of) are to host on a separate domain or build a flash parser.





do these security issues affect users computers? Or just the server that is hosting them. I'm not worried I've got the most secured computer on the block


----------



## Aurali (Nov 14, 2009)

Tobias_foxfire said:


> do these security issues affect users computers? Or just the server that is hosting them. I'm not worried I've got the most secured computer on the block



Browser side, I'm not saying anything else without a go ahead.


----------



## Tobias_foxfire (Nov 16, 2009)

Anyone have any news on how the flash fix is going?


----------



## Aurali (Nov 16, 2009)

Tobias_foxfire said:


> Anyone have any news on how the flash fix is going?



waiting on the new URL to propagate, give it a few days.


----------



## ArielMT (Nov 16, 2009)

Tobias_foxfire said:


> Anyone have any news on how the flash fix is going?



The delay is, as yak reported, waiting for the new name to propagate worldwide.  DNS changes are not as instantaneous as most people believe, especially at some major ISPs who seem to think the post office should propagate changes faster than their DNS servers.



yak said:


> A fix is in the works, however it will take  day or two before flash file support can be re-enabled. All of this time goes into waiting for a new domain name to propagate wordwide.
> Yes, I know it takes much less time then that, but tell it to all the ISPs out there that ignore domain TTL settings on their name servers.



Edit: Ninja'd.


----------



## Dragoneer (Nov 16, 2009)

Yak messaged me that Flash should be active now.


----------



## Tobias_foxfire (Nov 16, 2009)

Dragoneer said:


> Yak messaged me that Flash should be active now.



thank you dominate one *chuckles and goes to see how things are doing*


----------

