Cross-Domain Misconfiguration - Silverlight

  • 警报等级:
  • High

  • 警报类型:
  • Active
摘要

Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server.

解决方案

Configure the clientaccesspolicy.xml file to restrict the list of domains that are allowed to make cross-domain requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data.

其他信息
The web server permits malicious cross-domain requests originating from Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browsers. It can also result in Cross Site Request Forgery (CSRF) type attacks. This is particularly likely to be an issue if a Cookie based session implementation is in use.
参考

https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf

https://learn.microsoft.com/en-us/previous-versions/windows/silverlight/dotnet-windows-silverlight/cc197955(v=vs.95)

https://learn.microsoft.com/en-us/previous-versions/windows/silverlight/dotnet-windows-silverlight/cc838250(v=vs.95)