Insecure Flash embed parameter

Description

The AllowScriptAccess parameter in the HTML code that loads a SWF file controls the ability to perform outbound URL access from within the SWF file. Set this parameter inside the PARAM or EMBED tag. If no value is set for AllowScriptAccess, the SWF file and the HTML page can communicate only if both are from the same domain.

This HTML page embeds a SWF file with AllowScriptAccess parameter set to "always". When AllowScriptAccess is "always," the SWF file can communicate with the HTML page in which it is embedded. This rule applies even when the SWF file is from a different domain than the HTML page. This represents a security issue and can result in attacks such as script injection and cross-domain privilege escalation.

Remediation

Set AllowScriptAccess to 'never' or remove the AllowScriptAccess parameter.

References