PDA

View Full Version : [CLOSED] Is MultiUpload secure ?



matt
Aug 08, 2014, 7:49 PM
Hi,

I will need to implement file upload over the internet in my application. The server will be using secure connection (https).
When I saw "MultiUpload" demos my impression was: wow... this is exactly what I need.

But...

When I read that Multiupload is based on "swfupload"... I followed the link: https://code.google.com/p/swfupload/
I was surprised and confused seeing that:

Announcement
SWFUpload has not been under active development for several years. The existing SWFUpload code is stable but the Adobe Flash Player platform has significant bugs that have not been addressed since Flash Player v8; the platform SWFUpload originally targeted.

Warning: SWFUpload's .swf file suffers from a Cross Scripting vulnerability as described here: https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/



My question here is in the title of that post. Is MultiUpload secure ? or is it safe enough to use it ?

Thank you,

Matt

Vladimir
Aug 08, 2014, 9:39 PM
Well, we are not author of SwfUpload, we just created Ext.Net wrapper for that
If you have any test cases reproduces some vulnerabilities we will hapy to investigate it but as you understand we cannot change SwfUpload

By the way, I was not able to reproduce the issue using "Proof of Concept" from nealpoole.com article
I guess that described vulnerability (if it is not fixed in swfupload or Flash) itself is not dangerous, if you don't allow to modify the page by web users

geoffrey.mcgill
Aug 09, 2014, 4:02 AM
Is MultiUpload secure ? or is it safe enough to use it ?

Unfortunately, this is not something we can determine, and frankly is far too much of an open ended question. Define "secure".

My advice... don't assume anything coming from the client is secure.

Use of SSL and server-side validation should help avoid most issues.