<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article09_11_12_2337236</id>
	<title>Flash Vulnerability Found, Adobe Says No Fix Forthcoming</title>
	<author>timothy</author>
	<datestamp>1258026240000</datestamp>
	<htmltext>An anonymous reader writes <i>"Security researchers at Foreground Security have <a href="http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html">found an issue with Adobe Flash</a>.  Any site that allows files to be uploaded could be vulnerable to this issue (whether they serve Flash or not!).  Adobe has said that no easy fix exists and no patch is forthcoming.  Adobe puts the responsibility on the website administrators themselves to fix this problem, but <a href="http://www.computerworld.com/s/article/9140768/Flash\_flaw\_puts\_most\_sites\_users\_at\_risk\_say\_researchers">they themselves seem to be vulnerable</a> to these problems. Every user with Flash installed is vulnerable to this new type of attack and &mdash; until IT administrators fix their sites &mdash; will continue to be."</i></htmltext>
<tokenext>An anonymous reader writes " Security researchers at Foreground Security have found an issue with Adobe Flash .
Any site that allows files to be uploaded could be vulnerable to this issue ( whether they serve Flash or not ! ) .
Adobe has said that no easy fix exists and no patch is forthcoming .
Adobe puts the responsibility on the website administrators themselves to fix this problem , but they themselves seem to be vulnerable to these problems .
Every user with Flash installed is vulnerable to this new type of attack and    until IT administrators fix their sites    will continue to be .
"</tokentext>
<sentencetext>An anonymous reader writes "Security researchers at Foreground Security have found an issue with Adobe Flash.
Any site that allows files to be uploaded could be vulnerable to this issue (whether they serve Flash or not!).
Adobe has said that no easy fix exists and no patch is forthcoming.
Adobe puts the responsibility on the website administrators themselves to fix this problem, but they themselves seem to be vulnerable to these problems.
Every user with Flash installed is vulnerable to this new type of attack and — until IT administrators fix their sites — will continue to be.
"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081630</id>
	<title>NEWS FLASH: Web sites need to screen uploads</title>
	<author>Anonymous</author>
	<datestamp>1258031340000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>This is ridiculous. If a web site lets you upload a JavaScript file and then serves it back to you as part of a request, it would be crazy. All that has happened here is that people have worked out that doing the same thing with a Flash file is equally bad.</p><p>Of course there's no easy fix apart from web sites being sensible in what they upload -- just like anyone with a clue doesn't let users submit comments with  tags in them.</p></htmltext>
<tokenext>This is ridiculous .
If a web site lets you upload a JavaScript file and then serves it back to you as part of a request , it would be crazy .
All that has happened here is that people have worked out that doing the same thing with a Flash file is equally bad.Of course there 's no easy fix apart from web sites being sensible in what they upload -- just like anyone with a clue does n't let users submit comments with tags in them .</tokentext>
<sentencetext>This is ridiculous.
If a web site lets you upload a JavaScript file and then serves it back to you as part of a request, it would be crazy.
All that has happened here is that people have worked out that doing the same thing with a Flash file is equally bad.Of course there's no easy fix apart from web sites being sensible in what they upload -- just like anyone with a clue doesn't let users submit comments with  tags in them.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30087832</id>
	<title>Re:Uploading a swf with a jpg extension?</title>
	<author>Ramirozz</author>
	<datestamp>1258132920000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Yes, I was asking the same question and as Lobster said you can include headers in PHP, for example... but I would like to know if there is anything to do to validate these crafted image files because in that case it doesn't matter if you are using flash or not. Well, flash will make it easier to execute it from another domain.</htmltext>
<tokenext>Yes , I was asking the same question and as Lobster said you can include headers in PHP , for example... but I would like to know if there is anything to do to validate these crafted image files because in that case it does n't matter if you are using flash or not .
Well , flash will make it easier to execute it from another domain .</tokentext>
<sentencetext>Yes, I was asking the same question and as Lobster said you can include headers in PHP, for example... but I would like to know if there is anything to do to validate these crafted image files because in that case it doesn't matter if you are using flash or not.
Well, flash will make it easier to execute it from another domain.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081958</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085164</id>
	<title>Re:Flash security has always frightened me</title>
	<author>maxume</author>
	<datestamp>1258114920000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>The cross domain stuff isn't that terrible, it defaults to deny, and you can actually turn off flash cookies:</p><p><a href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings\_manager03.html" title="macromedia.com" rel="nofollow">http://www.macromedia.com/support/documentation/en/flashplayer/help/settings\_manager03.html</a> [macromedia.com]</p><p>I'm not sure that qualifies as a special tool or not. Another panel there lets you remove existing cookies.</p></htmltext>
<tokenext>The cross domain stuff is n't that terrible , it defaults to deny , and you can actually turn off flash cookies : http : //www.macromedia.com/support/documentation/en/flashplayer/help/settings \ _manager03.html [ macromedia.com ] I 'm not sure that qualifies as a special tool or not .
Another panel there lets you remove existing cookies .</tokentext>
<sentencetext>The cross domain stuff isn't that terrible, it defaults to deny, and you can actually turn off flash cookies:http://www.macromedia.com/support/documentation/en/flashplayer/help/settings\_manager03.html [macromedia.com]I'm not sure that qualifies as a special tool or not.
Another panel there lets you remove existing cookies.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30091018</id>
	<title>Re:Uploading a swf with a jpg extension?</title>
	<author>JesseMcDonald</author>
	<datestamp>1258102980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Even better, if the server and the HTML both supply a content-type, the browser should block the plug-in unless the two content-types agree; neither should be ignored.</p></htmltext>
<tokenext>Even better , if the server and the HTML both supply a content-type , the browser should block the plug-in unless the two content-types agree ; neither should be ignored .</tokentext>
<sentencetext>Even better, if the server and the HTML both supply a content-type, the browser should block the plug-in unless the two content-types agree; neither should be ignored.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082084</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081560</id>
	<title>We need to move beyond Flash</title>
	<author>ClosedSource</author>
	<datestamp>1258030980000</datestamp>
	<modclass>Funny</modclass>
	<modscore>4</modscore>
	<htmltext><p>so we can have malware based on open standards.</p></htmltext>
<tokenext>so we can have malware based on open standards .</tokentext>
<sentencetext>so we can have malware based on open standards.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083024</id>
	<title>Re:Broken security model</title>
	<author>Anonymous</author>
	<datestamp>1258042440000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Translation: The Internet is broken.  Let's just flush the tubes and start over.  Seriously, I'd like to see a security researcher design a website that is both useful and secure that takes user input besides numbers. It is impossible to secure a blogging or social media site and offer any of the features users expect.</p></htmltext>
<tokenext>Translation : The Internet is broken .
Let 's just flush the tubes and start over .
Seriously , I 'd like to see a security researcher design a website that is both useful and secure that takes user input besides numbers .
It is impossible to secure a blogging or social media site and offer any of the features users expect .</tokentext>
<sentencetext>Translation: The Internet is broken.
Let's just flush the tubes and start over.
Seriously, I'd like to see a security researcher design a website that is both useful and secure that takes user input besides numbers.
It is impossible to secure a blogging or social media site and offer any of the features users expect.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081500</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082964</id>
	<title>Re:Broken security model</title>
	<author>dissy</author>
	<datestamp>1258041960000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>Adobe's answer is just the greatest kind of cop out.</p></div><p>How exactly would you suggest Adobe modify the flash plugin so that it will run on your computer when I am the one to upload it to my website, but not run it when someone else who I have given permission (thus access) to upload it to my site in my name?</p><p>Either you run code from my website, or you don't.  You can't base any decisions on if it was my SCP client that uploaded it to the web server, or someone else uploaded it, mainly because there is no possible way for the server nor you to tell the difference.</p><p>What change exactly can Adobe make to come into play here?</p></div>
	</htmltext>
<tokenext>Adobe 's answer is just the greatest kind of cop out.How exactly would you suggest Adobe modify the flash plugin so that it will run on your computer when I am the one to upload it to my website , but not run it when someone else who I have given permission ( thus access ) to upload it to my site in my name ? Either you run code from my website , or you do n't .
You ca n't base any decisions on if it was my SCP client that uploaded it to the web server , or someone else uploaded it , mainly because there is no possible way for the server nor you to tell the difference.What change exactly can Adobe make to come into play here ?</tokentext>
<sentencetext>Adobe's answer is just the greatest kind of cop out.How exactly would you suggest Adobe modify the flash plugin so that it will run on your computer when I am the one to upload it to my website, but not run it when someone else who I have given permission (thus access) to upload it to my site in my name?Either you run code from my website, or you don't.
You can't base any decisions on if it was my SCP client that uploaded it to the web server, or someone else uploaded it, mainly because there is no possible way for the server nor you to tell the difference.What change exactly can Adobe make to come into play here?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081500</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082642</id>
	<title>Re:the article is bullshit.</title>
	<author>Anonymous</author>
	<datestamp>1258039380000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Agreed. The malicious avatar seems an unrealistic example. I don't see flash running in the webpage outside of an object/embed tag - the author seems to imply the you just upload an swf disguised as an image and away you go. The use of the flash avatar virtually needs to be sanctioned by site not stripping out object/embed in whatever sanitization they are using.</p></htmltext>
<tokenext>Agreed .
The malicious avatar seems an unrealistic example .
I do n't see flash running in the webpage outside of an object/embed tag - the author seems to imply the you just upload an swf disguised as an image and away you go .
The use of the flash avatar virtually needs to be sanctioned by site not stripping out object/embed in whatever sanitization they are using .</tokentext>
<sentencetext>Agreed.
The malicious avatar seems an unrealistic example.
I don't see flash running in the webpage outside of an object/embed tag - the author seems to imply the you just upload an swf disguised as an image and away you go.
The use of the flash avatar virtually needs to be sanctioned by site not stripping out object/embed in whatever sanitization they are using.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081622</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082118</id>
	<title>Let the lawyers fix this</title>
	<author>Anonymous</author>
	<datestamp>1258034460000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>A few hungry lawyers can get this problem fixed in a week.  Just get a few injured parties and they will take care of the rest.  While they are at it, they can fix the problems with the entire internet protocol suite that allows any application on any box to send and receive any data from any IP with zero traceability or accountability, all for free.  This shit has got to end and the only way it will is if the consumers of this 1970s archaic crap we are all swallowing start to complain (i.e., lose money and time).</p></htmltext>
<tokenext>A few hungry lawyers can get this problem fixed in a week .
Just get a few injured parties and they will take care of the rest .
While they are at it , they can fix the problems with the entire internet protocol suite that allows any application on any box to send and receive any data from any IP with zero traceability or accountability , all for free .
This shit has got to end and the only way it will is if the consumers of this 1970s archaic crap we are all swallowing start to complain ( i.e. , lose money and time ) .</tokentext>
<sentencetext>A few hungry lawyers can get this problem fixed in a week.
Just get a few injured parties and they will take care of the rest.
While they are at it, they can fix the problems with the entire internet protocol suite that allows any application on any box to send and receive any data from any IP with zero traceability or accountability, all for free.
This shit has got to end and the only way it will is if the consumers of this 1970s archaic crap we are all swallowing start to complain (i.e., lose money and time).</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085130</id>
	<title>Re:Flash security has always frightened me</title>
	<author>Chuffpole</author>
	<datestamp>1258114560000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Thank you for alerting me to that. I did what I could to delete those cookies, but still had a load of folders (now empty) with website names, in the folder :<br>C:\Users\(mylogin)\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys<br>- some with unsavoury names<nobr> <wbr></nobr>:)</p><p>I'm glad I've been able to get rid. Thanks.</p></htmltext>
<tokenext>Thank you for alerting me to that .
I did what I could to delete those cookies , but still had a load of folders ( now empty ) with website names , in the folder : C : \ Users \ ( mylogin ) \ AppData \ Roaming \ Macromedia \ Flash Player \ macromedia.com \ support \ flashplayer \ sys- some with unsavoury names : ) I 'm glad I 've been able to get rid .
Thanks .</tokentext>
<sentencetext>Thank you for alerting me to that.
I did what I could to delete those cookies, but still had a load of folders (now empty) with website names, in the folder :C:\Users\(mylogin)\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys- some with unsavoury names :)I'm glad I've been able to get rid.
Thanks.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081704</id>
	<title>Flashblock</title>
	<author>Spatial</author>
	<datestamp>1258031880000</datestamp>
	<modclass>Offtopic</modclass>
	<modscore>1</modscore>
	<htmltext><a href="https://addons.mozilla.org/en-US/firefox/addon/433" title="mozilla.org">Use it</a> [mozilla.org].</htmltext>
<tokenext>Use it [ mozilla.org ] .</tokentext>
<sentencetext>Use it [mozilla.org].</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081910</id>
	<title>What the...</title>
	<author>thePowerOfGrayskull</author>
	<datestamp>1258033260000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p><div class="quote"><p>Instead, Arkin added, Adobe has tried to get the word out to Web application designers and site administrators about the danger of allowing users to upload content. "Sites should not allow user uploads to a trusted domain," Arkin argued. "The real issue here is that developers should be cautious about using techniques that can be misused maliciously. In general, this is a general challenge in managing active content."</p></div><p>Arkin is from Adobe.  And he's seriously saying that in order to "fix" this, web site owners must simply disallow users from uploading files. Period.  (Not through Flash, but all file uploading<nobr> <wbr></nobr>.)   That's a spectacular answer.
</p><p>
On the other hand... I kind of understand where he's comign from. If you let your users upload content unchecked, and serve that content up, you are potentially giving some level of access to client machines. In this case, it seems somewhat minimal?  I'm not familiar with actionscript, but you don't get free reign to the user's machien do you? Only content specifically store under the domain of the owning server, in the context of Flash?</p></div>
	</htmltext>
<tokenext>Instead , Arkin added , Adobe has tried to get the word out to Web application designers and site administrators about the danger of allowing users to upload content .
" Sites should not allow user uploads to a trusted domain , " Arkin argued .
" The real issue here is that developers should be cautious about using techniques that can be misused maliciously .
In general , this is a general challenge in managing active content .
" Arkin is from Adobe .
And he 's seriously saying that in order to " fix " this , web site owners must simply disallow users from uploading files .
Period. ( Not through Flash , but all file uploading .
) That 's a spectacular answer .
On the other hand... I kind of understand where he 's comign from .
If you let your users upload content unchecked , and serve that content up , you are potentially giving some level of access to client machines .
In this case , it seems somewhat minimal ?
I 'm not familiar with actionscript , but you do n't get free reign to the user 's machien do you ?
Only content specifically store under the domain of the owning server , in the context of Flash ?</tokentext>
<sentencetext>Instead, Arkin added, Adobe has tried to get the word out to Web application designers and site administrators about the danger of allowing users to upload content.
"Sites should not allow user uploads to a trusted domain," Arkin argued.
"The real issue here is that developers should be cautious about using techniques that can be misused maliciously.
In general, this is a general challenge in managing active content.
"Arkin is from Adobe.
And he's seriously saying that in order to "fix" this, web site owners must simply disallow users from uploading files.
Period.  (Not through Flash, but all file uploading .
)   That's a spectacular answer.
On the other hand... I kind of understand where he's comign from.
If you let your users upload content unchecked, and serve that content up, you are potentially giving some level of access to client machines.
In this case, it seems somewhat minimal?
I'm not familiar with actionscript, but you don't get free reign to the user's machien do you?
Only content specifically store under the domain of the owning server, in the context of Flash?
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084370</id>
	<title>Re:Flash security has always frightened me</title>
	<author>RAMMS+EIN</author>
	<datestamp>1258145160000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>``Browser vendors have the right incentives because users have a realistic choice of browsers. Flash is an all-or-nothing affair.''</p><p>And that is a real problem for users, and not just because of its effect on security. Only Adobe makes software that can handle all the Flash applets out there, and anytime there is only a single supplier, the incentives to make things better for customers aren't there. Adobe has been pretty nice with Flash, considering.</p></htmltext>
<tokenext>` ` Browser vendors have the right incentives because users have a realistic choice of browsers .
Flash is an all-or-nothing affair .
''And that is a real problem for users , and not just because of its effect on security .
Only Adobe makes software that can handle all the Flash applets out there , and anytime there is only a single supplier , the incentives to make things better for customers are n't there .
Adobe has been pretty nice with Flash , considering .</tokentext>
<sentencetext>``Browser vendors have the right incentives because users have a realistic choice of browsers.
Flash is an all-or-nothing affair.
''And that is a real problem for users, and not just because of its effect on security.
Only Adobe makes software that can handle all the Flash applets out there, and anytime there is only a single supplier, the incentives to make things better for customers aren't there.
Adobe has been pretty nice with Flash, considering.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085898</id>
	<title>Re:What the...</title>
	<author>Civil\_Disobedient</author>
	<datestamp>1258123200000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><i>And he's seriously saying that in order to "fix" this, web site owners must simply disallow users from uploading files. Period. (Not through Flash, but all file uploading<nobr> <wbr></nobr>.) That's a spectacular answer.</i></p><p>A spectacularly <i>stupid</i> answer.  If the only person able to view that content is the user that uploaded the file in the first place, the only attack vector is the initial perpetrator.  If, on the other hand, a website blindly allows user content to be served to the world without sanitizing it beforehand, well... all bets are off.</p><p>Nothing to see here, move along.</p></htmltext>
<tokenext>And he 's seriously saying that in order to " fix " this , web site owners must simply disallow users from uploading files .
Period. ( Not through Flash , but all file uploading .
) That 's a spectacular answer.A spectacularly stupid answer .
If the only person able to view that content is the user that uploaded the file in the first place , the only attack vector is the initial perpetrator .
If , on the other hand , a website blindly allows user content to be served to the world without sanitizing it beforehand , well... all bets are off.Nothing to see here , move along .</tokentext>
<sentencetext>And he's seriously saying that in order to "fix" this, web site owners must simply disallow users from uploading files.
Period. (Not through Flash, but all file uploading .
) That's a spectacular answer.A spectacularly stupid answer.
If the only person able to view that content is the user that uploaded the file in the first place, the only attack vector is the initial perpetrator.
If, on the other hand, a website blindly allows user content to be served to the world without sanitizing it beforehand, well... all bets are off.Nothing to see here, move along.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081910</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082094</id>
	<title>Re:Broken security model</title>
	<author>Anonymous</author>
	<datestamp>1258034340000</datestamp>
	<modclass>None</modclass>
	<modscore>-1</modscore>
	<htmltext><p>In a brief moment of sanity, I actually read (some of) the article.  The vulnerability here is no different than any other cross site scripting exploit.  I don't see an easy way to fix this in flash, or in javascript, or in anything.  Allowing someone to run arbitrary code on your site is going to cause problems.</p><p>I hate flash as much as the next guy, but this is no different than being able to inject malicious javascript onto a poorly secured web site.</p><p>Frankly, I'm pretty amazed this is being heralded as some new vulnerability, and even more amazed 'security researches' get paid to 'discover' this.  Can I claim my reward for discovering that letting anyone run whatever code they want on my computer is a security vulnerability?</p></htmltext>
<tokenext>In a brief moment of sanity , I actually read ( some of ) the article .
The vulnerability here is no different than any other cross site scripting exploit .
I do n't see an easy way to fix this in flash , or in javascript , or in anything .
Allowing someone to run arbitrary code on your site is going to cause problems.I hate flash as much as the next guy , but this is no different than being able to inject malicious javascript onto a poorly secured web site.Frankly , I 'm pretty amazed this is being heralded as some new vulnerability , and even more amazed 'security researches ' get paid to 'discover ' this .
Can I claim my reward for discovering that letting anyone run whatever code they want on my computer is a security vulnerability ?</tokentext>
<sentencetext>In a brief moment of sanity, I actually read (some of) the article.
The vulnerability here is no different than any other cross site scripting exploit.
I don't see an easy way to fix this in flash, or in javascript, or in anything.
Allowing someone to run arbitrary code on your site is going to cause problems.I hate flash as much as the next guy, but this is no different than being able to inject malicious javascript onto a poorly secured web site.Frankly, I'm pretty amazed this is being heralded as some new vulnerability, and even more amazed 'security researches' get paid to 'discover' this.
Can I claim my reward for discovering that letting anyone run whatever code they want on my computer is a security vulnerability?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081500</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081918</id>
	<title>Easy solution...</title>
	<author>argent</author>
	<datestamp>1258033260000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Implement flashblock in the flash plugin itself, so that users have to explicitly request flash content be run, even if it's packaged in a way that manages to slip by flashblock.</p></htmltext>
<tokenext>Implement flashblock in the flash plugin itself , so that users have to explicitly request flash content be run , even if it 's packaged in a way that manages to slip by flashblock .</tokentext>
<sentencetext>Implement flashblock in the flash plugin itself, so that users have to explicitly request flash content be run, even if it's packaged in a way that manages to slip by flashblock.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083316</id>
	<title>Re:Broken security model</title>
	<author>Lobster Quadrille</author>
	<datestamp>1258044960000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>Off the top of my head, here are a few possible changes:</p><p>1. Deny connections by default, unless the server specifically says "this application can connect" (This is already how adobe determines policies on remote servers. It would not be so hard to make the object's origin follow the same rules)<br>2. Check whether the content-type headers of the server delivering the object actually match those of a flash object, preventing the content overloading attacks described in the paper.<br>3. Implement a signing policy, so that unsigned flash objects are not given permission to access the server.<br>4. Run embedded flash objects in the context of the page they are embedded in, rather than that of the origin server. (Flash objects accessed directly, like javascript run through the javascript: uri handler, have no permissions)</p><p>Maybe not ideal, but a hell of a lot better than having everybody vulnerable by default, and expecting the server administrators to fix it for them on a case by case basis.</p></htmltext>
<tokenext>Off the top of my head , here are a few possible changes : 1 .
Deny connections by default , unless the server specifically says " this application can connect " ( This is already how adobe determines policies on remote servers .
It would not be so hard to make the object 's origin follow the same rules ) 2 .
Check whether the content-type headers of the server delivering the object actually match those of a flash object , preventing the content overloading attacks described in the paper.3 .
Implement a signing policy , so that unsigned flash objects are not given permission to access the server.4 .
Run embedded flash objects in the context of the page they are embedded in , rather than that of the origin server .
( Flash objects accessed directly , like javascript run through the javascript : uri handler , have no permissions ) Maybe not ideal , but a hell of a lot better than having everybody vulnerable by default , and expecting the server administrators to fix it for them on a case by case basis .</tokentext>
<sentencetext>Off the top of my head, here are a few possible changes:1.
Deny connections by default, unless the server specifically says "this application can connect" (This is already how adobe determines policies on remote servers.
It would not be so hard to make the object's origin follow the same rules)2.
Check whether the content-type headers of the server delivering the object actually match those of a flash object, preventing the content overloading attacks described in the paper.3.
Implement a signing policy, so that unsigned flash objects are not given permission to access the server.4.
Run embedded flash objects in the context of the page they are embedded in, rather than that of the origin server.
(Flash objects accessed directly, like javascript run through the javascript: uri handler, have no permissions)Maybe not ideal, but a hell of a lot better than having everybody vulnerable by default, and expecting the server administrators to fix it for them on a case by case basis.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082964</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081788</id>
	<title>Re:NEWS FLASH: Web sites need to screen uploads</title>
	<author>Anonymous</author>
	<datestamp>1258032360000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>A javascript file won't execute in the context of the domain that it's served from- it executes in the context of an html page.  If you upload an HTML page, your example stands.</p><p>However, flash files don't need a<nobr> <wbr></nobr>.swf extension to execute, and the attacker can place executable swfs in many valid file formats.  Uploading a malicious SWF is a lot easier than a malicious HTML page.</p></htmltext>
<tokenext>A javascript file wo n't execute in the context of the domain that it 's served from- it executes in the context of an html page .
If you upload an HTML page , your example stands.However , flash files do n't need a .swf extension to execute , and the attacker can place executable swfs in many valid file formats .
Uploading a malicious SWF is a lot easier than a malicious HTML page .</tokentext>
<sentencetext>A javascript file won't execute in the context of the domain that it's served from- it executes in the context of an html page.
If you upload an HTML page, your example stands.However, flash files don't need a .swf extension to execute, and the attacker can place executable swfs in many valid file formats.
Uploading a malicious SWF is a lot easier than a malicious HTML page.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081630</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081666</id>
	<title>The vulnerability</title>
	<author>Anonymous</author>
	<datestamp>1258031580000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext>The vulnerability is not new at all. It's been known for probably coupe of years now. If a site accepts file uploads, in some cases even if simply displays user submitted data like *comments*, a malicious user may upload content that contains a policy XML snippet (the resulting file doesn't have to start with the snippet as well due to some specific of how the content is parsed). Flash can be pointed to that snippet and it will blindly accept it as the security policy for that domain/folder.<br> <br>

The security implications are that even if the site doesn't use Flash itself, a user opening a third party site with Flash could read from the site with the faulty policy. <br> <br>

Say Facebook is vulnerable to this problem (likely it is), and you're logged in. Opening another site will allow Flash on that third party site to read your Facebook details, as it has access to anything you do.<br> <br>

This problem was introduced sometimes Flash 7-8 (I forget) when an ability was added for Flash to read policy files from a custom URL. Prios to that, the only valid location was www.example.com/crossdomain.xml, which is, of course far simpler to lock down and secure. The bottom line is, they can fix this in a number of ways, but not in a backwards compatible manner. For the moment they simply seems to have their bets that people don't care enough about this problem to warrant the effort.</htmltext>
<tokenext>The vulnerability is not new at all .
It 's been known for probably coupe of years now .
If a site accepts file uploads , in some cases even if simply displays user submitted data like * comments * , a malicious user may upload content that contains a policy XML snippet ( the resulting file does n't have to start with the snippet as well due to some specific of how the content is parsed ) .
Flash can be pointed to that snippet and it will blindly accept it as the security policy for that domain/folder .
The security implications are that even if the site does n't use Flash itself , a user opening a third party site with Flash could read from the site with the faulty policy .
Say Facebook is vulnerable to this problem ( likely it is ) , and you 're logged in .
Opening another site will allow Flash on that third party site to read your Facebook details , as it has access to anything you do .
This problem was introduced sometimes Flash 7-8 ( I forget ) when an ability was added for Flash to read policy files from a custom URL .
Prios to that , the only valid location was www.example.com/crossdomain.xml , which is , of course far simpler to lock down and secure .
The bottom line is , they can fix this in a number of ways , but not in a backwards compatible manner .
For the moment they simply seems to have their bets that people do n't care enough about this problem to warrant the effort .</tokentext>
<sentencetext>The vulnerability is not new at all.
It's been known for probably coupe of years now.
If a site accepts file uploads, in some cases even if simply displays user submitted data like *comments*, a malicious user may upload content that contains a policy XML snippet (the resulting file doesn't have to start with the snippet as well due to some specific of how the content is parsed).
Flash can be pointed to that snippet and it will blindly accept it as the security policy for that domain/folder.
The security implications are that even if the site doesn't use Flash itself, a user opening a third party site with Flash could read from the site with the faulty policy.
Say Facebook is vulnerable to this problem (likely it is), and you're logged in.
Opening another site will allow Flash on that third party site to read your Facebook details, as it has access to anything you do.
This problem was introduced sometimes Flash 7-8 (I forget) when an ability was added for Flash to read policy files from a custom URL.
Prios to that, the only valid location was www.example.com/crossdomain.xml, which is, of course far simpler to lock down and secure.
The bottom line is, they can fix this in a number of ways, but not in a backwards compatible manner.
For the moment they simply seems to have their bets that people don't care enough about this problem to warrant the effort.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085868</id>
	<title>Re:OH NO!!!</title>
	<author>Anonymous</author>
	<datestamp>1258122960000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>This is a PROBLEM not an "issue!"</p></htmltext>
<tokenext>This is a PROBLEM not an " issue !
"</tokentext>
<sentencetext>This is a PROBLEM not an "issue!
"</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081360</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081740</id>
	<title>Re:the article is bullshit.</title>
	<author>aztracker1</author>
	<datestamp>1258032060000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>There you go, throwing logic at the discussion...</p></htmltext>
<tokenext>There you go , throwing logic at the discussion.. .</tokentext>
<sentencetext>There you go, throwing logic at the discussion...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081622</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083512</id>
	<title>Re:Flash security has always frightened me</title>
	<author>Anonymous</author>
	<datestamp>1258047240000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext><p><div class="quote"><p>These Flash cookies are hidden from the user, and require special tools [fightidentitytheft.com] to remove.</p></div><p>Not to speak to any of your other points, but this isn't true. The Flash cookies are simply in your filesystem somewhere and can be deleted like any other files. (Where they are exactly depends on your browser and OS, but they're still just regular files.)</p><p>You can't delete them from <i>within</i> the browser without addons or plugins (in other words, the Flash plugin itself does not let you do this -- at least, not without manually setting the allowed disk space to 0 for every single website, which is impractical at best), but unless you consider bash or Windows Explorer to be "special tools," it's not exactly a heinous task.</p></div>
	</htmltext>
<tokenext>These Flash cookies are hidden from the user , and require special tools [ fightidentitytheft.com ] to remove.Not to speak to any of your other points , but this is n't true .
The Flash cookies are simply in your filesystem somewhere and can be deleted like any other files .
( Where they are exactly depends on your browser and OS , but they 're still just regular files .
) You ca n't delete them from within the browser without addons or plugins ( in other words , the Flash plugin itself does not let you do this -- at least , not without manually setting the allowed disk space to 0 for every single website , which is impractical at best ) , but unless you consider bash or Windows Explorer to be " special tools , " it 's not exactly a heinous task .</tokentext>
<sentencetext>These Flash cookies are hidden from the user, and require special tools [fightidentitytheft.com] to remove.Not to speak to any of your other points, but this isn't true.
The Flash cookies are simply in your filesystem somewhere and can be deleted like any other files.
(Where they are exactly depends on your browser and OS, but they're still just regular files.
)You can't delete them from within the browser without addons or plugins (in other words, the Flash plugin itself does not let you do this -- at least, not without manually setting the allowed disk space to 0 for every single website, which is impractical at best), but unless you consider bash or Windows Explorer to be "special tools," it's not exactly a heinous task.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081790</id>
	<title>So Adobe says...</title>
	<author>Anonymous</author>
	<datestamp>1258032360000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>0</modscore>
	<htmltext><p>"Oops! We found security issues with our software and we plan to do absolute dick about it.  The problem is now on everyone else's hands." *shit eating grin*</p></htmltext>
<tokenext>" Oops !
We found security issues with our software and we plan to do absolute dick about it .
The problem is now on everyone else 's hands .
" * shit eating grin *</tokentext>
<sentencetext>"Oops!
We found security issues with our software and we plan to do absolute dick about it.
The problem is now on everyone else's hands.
" *shit eating grin*</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082640</id>
	<title>Re:Flash security has always frightened me</title>
	<author>tywjohn</author>
	<datestamp>1258039380000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>This has really opened my eyes about Flash. I never really liked it before because it's just kind of bloat but now I'm seriously thinking of disabling it altogether.</htmltext>
<tokenext>This has really opened my eyes about Flash .
I never really liked it before because it 's just kind of bloat but now I 'm seriously thinking of disabling it altogether .</tokentext>
<sentencetext>This has really opened my eyes about Flash.
I never really liked it before because it's just kind of bloat but now I'm seriously thinking of disabling it altogether.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085400</id>
	<title>Re:Am I not understanding this correctly?</title>
	<author>julesh</author>
	<datestamp>1258118520000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><i>At least javascript is confined mostly to a single PAGE - please tell me I'm reading this incorrectly.</i></p><p>I'm not sure where you're wrong here, but you do seem to be.  The consequences of a server being vulnerable to this kind of attack are \_exactly the same\_ as if the server is vulnerable to a cross site scripting attack: scripts can be executed in the context of the server, allowing attackers access to stored cookies, download files from sections of the site he is logged in to, and make requests in those sections too.</p></htmltext>
<tokenext>At least javascript is confined mostly to a single PAGE - please tell me I 'm reading this incorrectly.I 'm not sure where you 're wrong here , but you do seem to be .
The consequences of a server being vulnerable to this kind of attack are \ _exactly the same \ _ as if the server is vulnerable to a cross site scripting attack : scripts can be executed in the context of the server , allowing attackers access to stored cookies , download files from sections of the site he is logged in to , and make requests in those sections too .</tokentext>
<sentencetext>At least javascript is confined mostly to a single PAGE - please tell me I'm reading this incorrectly.I'm not sure where you're wrong here, but you do seem to be.
The consequences of a server being vulnerable to this kind of attack are \_exactly the same\_ as if the server is vulnerable to a cross site scripting attack: scripts can be executed in the context of the server, allowing attackers access to stored cookies, download files from sections of the site he is logged in to, and make requests in those sections too.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083294</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084864</id>
	<title>Re:Broken security model</title>
	<author>Alistair Hutton</author>
	<datestamp>1258110240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Adobe's response is "Website's shouldn't serve untrusted data from a trusted domain".

It's not exactly rocket science.</htmltext>
<tokenext>Adobe 's response is " Website 's should n't serve untrusted data from a trusted domain " .
It 's not exactly rocket science .</tokentext>
<sentencetext>Adobe's response is "Website's shouldn't serve untrusted data from a trusted domain".
It's not exactly rocket science.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081500</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083570</id>
	<title>wait</title>
	<author>GregNorc</author>
	<datestamp>1258047900000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>If the malicious content is served by the site, then even using a whitelist ala Flashblock won't work, will it? That's pretty scary.</p></htmltext>
<tokenext>If the malicious content is served by the site , then even using a whitelist ala Flashblock wo n't work , will it ?
That 's pretty scary .</tokentext>
<sentencetext>If the malicious content is served by the site, then even using a whitelist ala Flashblock won't work, will it?
That's pretty scary.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081534</id>
	<title>Warning - 2nd link points to a FLASH AD</title>
	<author>Anonymous</author>
	<datestamp>1258030800000</datestamp>
	<modclass>Funny</modclass>
	<modscore>5</modscore>
	<htmltext><p>
Kind of ironic that an article that warns about flash vulnerabilities as:
</p><ol>
<li>A flash interstitial ad</li>
<li>A page loaded with flash</li>
</ol><p>
Oh, wait - it's ComputerWorld. Sorry, I had my expectations too high.</p></htmltext>
<tokenext>Kind of ironic that an article that warns about flash vulnerabilities as : A flash interstitial ad A page loaded with flash Oh , wait - it 's ComputerWorld .
Sorry , I had my expectations too high .</tokentext>
<sentencetext>
Kind of ironic that an article that warns about flash vulnerabilities as:

A flash interstitial ad
A page loaded with flash

Oh, wait - it's ComputerWorld.
Sorry, I had my expectations too high.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081926</id>
	<title>Re:Client or server?</title>
	<author>Ash Vince</author>
	<datestamp>1258033320000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>I have just read the article. The problem seems to be with sites who allow flash object to be uploaded, then served to other people using the site. Of course, this is just stupid anyway. If I allow you to upload a flash object to my site, I should sanitise it before I allow my server to give it to anyone. The example they give is an animated avatar, but that is poor example as they should be restricted to animated gifs anyway.</p><p>This is just more FUD. ActionScript is a very powerful language, and so server admins should only allow flash files they trust to be served up form websites they maintain. To my mind that is just common sense. The only alternative would be for Adobe to cripple Flash beyond belief so it was only useful for a small percentage of what it is currently used for.</p></htmltext>
<tokenext>I have just read the article .
The problem seems to be with sites who allow flash object to be uploaded , then served to other people using the site .
Of course , this is just stupid anyway .
If I allow you to upload a flash object to my site , I should sanitise it before I allow my server to give it to anyone .
The example they give is an animated avatar , but that is poor example as they should be restricted to animated gifs anyway.This is just more FUD .
ActionScript is a very powerful language , and so server admins should only allow flash files they trust to be served up form websites they maintain .
To my mind that is just common sense .
The only alternative would be for Adobe to cripple Flash beyond belief so it was only useful for a small percentage of what it is currently used for .</tokentext>
<sentencetext>I have just read the article.
The problem seems to be with sites who allow flash object to be uploaded, then served to other people using the site.
Of course, this is just stupid anyway.
If I allow you to upload a flash object to my site, I should sanitise it before I allow my server to give it to anyone.
The example they give is an animated avatar, but that is poor example as they should be restricted to animated gifs anyway.This is just more FUD.
ActionScript is a very powerful language, and so server admins should only allow flash files they trust to be served up form websites they maintain.
To my mind that is just common sense.
The only alternative would be for Adobe to cripple Flash beyond belief so it was only useful for a small percentage of what it is currently used for.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085282</id>
	<title>Re:Broken security model</title>
	<author>julesh</author>
	<datestamp>1258116780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><i>1. Deny connections by default, unless the server specifically says "this application can connect" (This is already how adobe determines policies on remote servers. It would not be so hard to make the object's origin follow the same rules)</i></p><p>Yes, but doing so would break almost every existing flash deployment in existence.  Users upgrading to the new version would be unable to use somewhere over half of all the flash sites out there, thus word would get out very quickly that they shouldn't upgrade, because the new version of flash is "broken".</p><p><i>2. Check whether the content-type headers of the server delivering the object actually match those of a flash object, preventing the content overloading attacks described in the paper.</i></p><p>Plausible, but bare in mind that through years upon years of flash not caring about content type, there are probably significant numbers of misconfigured servers that either serve flash objects as application/octet-stream or as some random but incorrect type.  Because nothing complains about it, nobody will ever have fixed these.  This isn't as serious for compatibility as suggestion 1, but the same outcome will still happen: users won't upgrade because the release will be generally labelled as "broken".</p><p><i>3. Implement a signing policy, so that unsigned flash objects are not given permission to access the server.</i></p><p>Will break all existing deployments.  See problem of solution 1.</p><p><i>4. Run embedded flash objects in the context of the page they are embedded in, rather than that of the origin server. (Flash objects accessed directly, like javascript run through the javascript: uri handler, have no permissions)</i></p><p>Will break existing deployments that rely on the current behaviour.   This would, I believe, include embedded youtube videos.  See problem of solution 1.</p><p><i>Maybe not ideal, but a hell of a lot better than having everybody vulnerable by default, and expecting the server administrators to fix it for them on a case by case basis.</i></p><p>Note that it is the server administrators themselves that are vulnerable, not the users per se -- what can be broken by this is the security of those administrators' web sites.  As such, it is better that \_they\_ have the burden of fixing this, rather than the users have the inconvenience of stuff not working right.</p></htmltext>
<tokenext>1 .
Deny connections by default , unless the server specifically says " this application can connect " ( This is already how adobe determines policies on remote servers .
It would not be so hard to make the object 's origin follow the same rules ) Yes , but doing so would break almost every existing flash deployment in existence .
Users upgrading to the new version would be unable to use somewhere over half of all the flash sites out there , thus word would get out very quickly that they should n't upgrade , because the new version of flash is " broken " .2 .
Check whether the content-type headers of the server delivering the object actually match those of a flash object , preventing the content overloading attacks described in the paper.Plausible , but bare in mind that through years upon years of flash not caring about content type , there are probably significant numbers of misconfigured servers that either serve flash objects as application/octet-stream or as some random but incorrect type .
Because nothing complains about it , nobody will ever have fixed these .
This is n't as serious for compatibility as suggestion 1 , but the same outcome will still happen : users wo n't upgrade because the release will be generally labelled as " broken " .3 .
Implement a signing policy , so that unsigned flash objects are not given permission to access the server.Will break all existing deployments .
See problem of solution 1.4 .
Run embedded flash objects in the context of the page they are embedded in , rather than that of the origin server .
( Flash objects accessed directly , like javascript run through the javascript : uri handler , have no permissions ) Will break existing deployments that rely on the current behaviour .
This would , I believe , include embedded youtube videos .
See problem of solution 1.Maybe not ideal , but a hell of a lot better than having everybody vulnerable by default , and expecting the server administrators to fix it for them on a case by case basis.Note that it is the server administrators themselves that are vulnerable , not the users per se -- what can be broken by this is the security of those administrators ' web sites .
As such , it is better that \ _they \ _ have the burden of fixing this , rather than the users have the inconvenience of stuff not working right .</tokentext>
<sentencetext>1.
Deny connections by default, unless the server specifically says "this application can connect" (This is already how adobe determines policies on remote servers.
It would not be so hard to make the object's origin follow the same rules)Yes, but doing so would break almost every existing flash deployment in existence.
Users upgrading to the new version would be unable to use somewhere over half of all the flash sites out there, thus word would get out very quickly that they shouldn't upgrade, because the new version of flash is "broken".2.
Check whether the content-type headers of the server delivering the object actually match those of a flash object, preventing the content overloading attacks described in the paper.Plausible, but bare in mind that through years upon years of flash not caring about content type, there are probably significant numbers of misconfigured servers that either serve flash objects as application/octet-stream or as some random but incorrect type.
Because nothing complains about it, nobody will ever have fixed these.
This isn't as serious for compatibility as suggestion 1, but the same outcome will still happen: users won't upgrade because the release will be generally labelled as "broken".3.
Implement a signing policy, so that unsigned flash objects are not given permission to access the server.Will break all existing deployments.
See problem of solution 1.4.
Run embedded flash objects in the context of the page they are embedded in, rather than that of the origin server.
(Flash objects accessed directly, like javascript run through the javascript: uri handler, have no permissions)Will break existing deployments that rely on the current behaviour.
This would, I believe, include embedded youtube videos.
See problem of solution 1.Maybe not ideal, but a hell of a lot better than having everybody vulnerable by default, and expecting the server administrators to fix it for them on a case by case basis.Note that it is the server administrators themselves that are vulnerable, not the users per se -- what can be broken by this is the security of those administrators' web sites.
As such, it is better that \_they\_ have the burden of fixing this, rather than the users have the inconvenience of stuff not working right.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083316</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081786</id>
	<title>Re:NEWS FLASH: Web sites need to screen uploads</title>
	<author>smash</author>
	<datestamp>1258032300000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>AC needs modding up...</htmltext>
<tokenext>AC needs modding up.. .</tokentext>
<sentencetext>AC needs modding up...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081630</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082546</id>
	<title>Re:Flashblock</title>
	<author>RiotingPacifist</author>
	<datestamp>1258038180000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Flashblock doesn't keep you safe, Flashblock can be tricked by altering file extension and IIRC it can also be tricked by object tags.<br>AFAIK noscript is the only addon that will block flash in a secure way, but IMO it too much of a PITA to use.</p></htmltext>
<tokenext>Flashblock does n't keep you safe , Flashblock can be tricked by altering file extension and IIRC it can also be tricked by object tags.AFAIK noscript is the only addon that will block flash in a secure way , but IMO it too much of a PITA to use .</tokentext>
<sentencetext>Flashblock doesn't keep you safe, Flashblock can be tricked by altering file extension and IIRC it can also be tricked by object tags.AFAIK noscript is the only addon that will block flash in a secure way, but IMO it too much of a PITA to use.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081704</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084060</id>
	<title>Said Flash to HTML5</title>
	<author>Chas</author>
	<datestamp>1258054080000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Take it away brother.  I got nothin'!</p><p>Seriously, at least on the web-based video front, this is practically the same as Flash BEGGING to be ousted in favor of HTML5.</p></htmltext>
<tokenext>Take it away brother .
I got nothin ' ! Seriously , at least on the web-based video front , this is practically the same as Flash BEGGING to be ousted in favor of HTML5 .</tokentext>
<sentencetext>Take it away brother.
I got nothin'!Seriously, at least on the web-based video front, this is practically the same as Flash BEGGING to be ousted in favor of HTML5.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082802</id>
	<title>Re:It's times like this...</title>
	<author>kernelfoobar</author>
	<datestamp>1258040700000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>I'm glad that 64-bit Firefox doesn't have a flash plugin.</p></div><p>Really? <a href="http://labs.adobe.com/technologies/flashplayer10/faq.html" title="adobe.com" rel="nofollow">http://labs.adobe.com/technologies/flashplayer10/faq.html</a> [adobe.com]
<br> <br>
It's in Alpha but works fine with Fedora 10 and 11. Also works well in CentOS/RHEL 5, rpmforge even has it in the repo:
<br> <br>
<a href="http://packages.sw.be/flash-plugin/flash-plugin-10.0.32.18-0.1.el5.rf.x86\_64.rpm" title="packages.sw.be" rel="nofollow">http://packages.sw.be/flash-plugin/flash-plugin-10.0.32.18-0.1.el5.rf.x86\_64.rpm</a> [packages.sw.be]
<br> <br>
Oh, your must be using "The OS" (TM) or "The Other OS" (TM)(C), then yeah, your right it doesn't exist and you have my sympathy.
<br> <br>
Sorry for the sarcastic tone, I'm just feeling like it right now.</p></div>
	</htmltext>
<tokenext>I 'm glad that 64-bit Firefox does n't have a flash plugin.Really ?
http : //labs.adobe.com/technologies/flashplayer10/faq.html [ adobe.com ] It 's in Alpha but works fine with Fedora 10 and 11 .
Also works well in CentOS/RHEL 5 , rpmforge even has it in the repo : http : //packages.sw.be/flash-plugin/flash-plugin-10.0.32.18-0.1.el5.rf.x86 \ _64.rpm [ packages.sw.be ] Oh , your must be using " The OS " ( TM ) or " The Other OS " ( TM ) ( C ) , then yeah , your right it does n't exist and you have my sympathy .
Sorry for the sarcastic tone , I 'm just feeling like it right now .</tokentext>
<sentencetext>I'm glad that 64-bit Firefox doesn't have a flash plugin.Really?
http://labs.adobe.com/technologies/flashplayer10/faq.html [adobe.com]
 
It's in Alpha but works fine with Fedora 10 and 11.
Also works well in CentOS/RHEL 5, rpmforge even has it in the repo:
 
http://packages.sw.be/flash-plugin/flash-plugin-10.0.32.18-0.1.el5.rf.x86\_64.rpm [packages.sw.be]
 
Oh, your must be using "The OS" (TM) or "The Other OS" (TM)(C), then yeah, your right it doesn't exist and you have my sympathy.
Sorry for the sarcastic tone, I'm just feeling like it right now.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081888</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30093280</id>
	<title>Re:NEWS FLASH: Web sites need to screen uploads</title>
	<author>Anonymous</author>
	<datestamp>1258115820000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>You are correct with the following statement:</p><p><div class="quote"><p>I upload a malicious SWF to www.victimsite.example, and embed it into a page at www.seemingly-innocuous.example. Unlike the JavaScript example, my malicious SWF now runs in the www.victimsite.example domain security sandbox, and can make any requests it wants to the victimsite.example domain without the visitor to my seemingly innocuous domain being any the wiser.</p></div><p>But, and this is a huge BUT, only if the two domains are configured to allow cross sandbox communications with a crossdomain.xml file. Flash can only access content on its own domain and sandbox, if you've created a crossdomain.xml policy file that allows script access between the two domains then this will happen. Otherwise www.seemingly-innocuous.example is trouble free.</p></div>
	</htmltext>
<tokenext>You are correct with the following statement : I upload a malicious SWF to www.victimsite.example , and embed it into a page at www.seemingly-innocuous.example .
Unlike the JavaScript example , my malicious SWF now runs in the www.victimsite.example domain security sandbox , and can make any requests it wants to the victimsite.example domain without the visitor to my seemingly innocuous domain being any the wiser.But , and this is a huge BUT , only if the two domains are configured to allow cross sandbox communications with a crossdomain.xml file .
Flash can only access content on its own domain and sandbox , if you 've created a crossdomain.xml policy file that allows script access between the two domains then this will happen .
Otherwise www.seemingly-innocuous.example is trouble free .</tokentext>
<sentencetext>You are correct with the following statement:I upload a malicious SWF to www.victimsite.example, and embed it into a page at www.seemingly-innocuous.example.
Unlike the JavaScript example, my malicious SWF now runs in the www.victimsite.example domain security sandbox, and can make any requests it wants to the victimsite.example domain without the visitor to my seemingly innocuous domain being any the wiser.But, and this is a huge BUT, only if the two domains are configured to allow cross sandbox communications with a crossdomain.xml file.
Flash can only access content on its own domain and sandbox, if you've created a crossdomain.xml policy file that allows script access between the two domains then this will happen.
Otherwise www.seemingly-innocuous.example is trouble free.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083794</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082334</id>
	<title>Re:Flash security has always frightened me</title>
	<author>Anonymous</author>
	<datestamp>1258036380000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>The funny thing is, despite all the safeguards and such with XMLHttpRequest, you can get almost all the same functionality (no POST requests though) by dynamically adding DOM elements to the page with the src set to whatever parameters for your GET request... <em>and</em> they have no security controls whatsoever so they can be cross-domain.</p></htmltext>
<tokenext>The funny thing is , despite all the safeguards and such with XMLHttpRequest , you can get almost all the same functionality ( no POST requests though ) by dynamically adding DOM elements to the page with the src set to whatever parameters for your GET request... and they have no security controls whatsoever so they can be cross-domain .</tokentext>
<sentencetext>The funny thing is, despite all the safeguards and such with XMLHttpRequest, you can get almost all the same functionality (no POST requests though) by dynamically adding DOM elements to the page with the src set to whatever parameters for your GET request... and they have no security controls whatsoever so they can be cross-domain.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082662</id>
	<title>domain policy</title>
	<author>burris</author>
	<datestamp>1258039560000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I wonder if fears of these sorts of attacks are why many major sites seems to be serving scripts and other static content from a completely different domain instead of a subdomain of the main site like an ostensibly sensible admin would do.</p></htmltext>
<tokenext>I wonder if fears of these sorts of attacks are why many major sites seems to be serving scripts and other static content from a completely different domain instead of a subdomain of the main site like an ostensibly sensible admin would do .</tokentext>
<sentencetext>I wonder if fears of these sorts of attacks are why many major sites seems to be serving scripts and other static content from a completely different domain instead of a subdomain of the main site like an ostensibly sensible admin would do.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081594</id>
	<title>Re:Client or server?</title>
	<author>Z34107</author>
	<datestamp>1258031160000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Relevant part of the article:</p><blockquote><div><p>The basic policy for Actionscript is very close to the Javascript same-origin policy: A Flash object can only access content from the domain it originated from.<nobr> <wbr></nobr>...
The important difference, of course, is that flash objects are not web pages. A flash object does not need to be injected into a web page to execute- simply loading the content is enough. Let's consider the implications of this policy for a moment: If I can get a Flash object onto your server, I can execute scripts in the context of your domain.</p></div>
</blockquote><p>So, user uploads a file - say, a picture for a forum avatar.  Your image validation misses that malicious\_flash.jpg is really a SWF file, and now you're executing flash all over the place "in the context of your domain."  Which I guess means any SWF file I manage to upload anywhere can eat the hosting webserver.</p></div>
	</htmltext>
<tokenext>Relevant part of the article : The basic policy for Actionscript is very close to the Javascript same-origin policy : A Flash object can only access content from the domain it originated from .
.. . The important difference , of course , is that flash objects are not web pages .
A flash object does not need to be injected into a web page to execute- simply loading the content is enough .
Let 's consider the implications of this policy for a moment : If I can get a Flash object onto your server , I can execute scripts in the context of your domain .
So , user uploads a file - say , a picture for a forum avatar .
Your image validation misses that malicious \ _flash.jpg is really a SWF file , and now you 're executing flash all over the place " in the context of your domain .
" Which I guess means any SWF file I manage to upload anywhere can eat the hosting webserver .</tokentext>
<sentencetext>Relevant part of the article:The basic policy for Actionscript is very close to the Javascript same-origin policy: A Flash object can only access content from the domain it originated from.
...
The important difference, of course, is that flash objects are not web pages.
A flash object does not need to be injected into a web page to execute- simply loading the content is enough.
Let's consider the implications of this policy for a moment: If I can get a Flash object onto your server, I can execute scripts in the context of your domain.
So, user uploads a file - say, a picture for a forum avatar.
Your image validation misses that malicious\_flash.jpg is really a SWF file, and now you're executing flash all over the place "in the context of your domain.
"  Which I guess means any SWF file I manage to upload anywhere can eat the hosting webserver.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085978</id>
	<title>Cil</title>
	<author>hesaigo999ca</author>
	<datestamp>1258123740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Cil, adobe, cil adobe, C...I....L.... adobe.</p><p>I just can't fathom yet another vulnerability, much less one they have no plans to fix, which you apparently don't even need adobe flash installed on your pc to get infected. Seriously come on...this is really crappy news.</p><p>Adobe is going to become the Skynet we all fear in the future, watch and see....<nobr> <wbr></nobr>:P</p></htmltext>
<tokenext>Cil , adobe , cil adobe , C...I....L.... adobe.I just ca n't fathom yet another vulnerability , much less one they have no plans to fix , which you apparently do n't even need adobe flash installed on your pc to get infected .
Seriously come on...this is really crappy news.Adobe is going to become the Skynet we all fear in the future , watch and see.... : P</tokentext>
<sentencetext>Cil, adobe, cil adobe, C...I....L.... adobe.I just can't fathom yet another vulnerability, much less one they have no plans to fix, which you apparently don't even need adobe flash installed on your pc to get infected.
Seriously come on...this is really crappy news.Adobe is going to become the Skynet we all fear in the future, watch and see.... :P</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30092390</id>
	<title>Re:Flash security has always frightened me</title>
	<author>Zadaz</author>
	<datestamp>1258109880000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>You can't delete them from within the browser without addons or plugins</p></div> </blockquote><p>This is also false.</p><p>Go to this URL:<br><a href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings\_manager07.html" title="macromedia.com">http://www.macromedia.com/support/documentation/en/flashplayer/help/settings\_manager07.html</a> [macromedia.com]</p><p>Enjoy.</p></div>
	</htmltext>
<tokenext>You ca n't delete them from within the browser without addons or plugins This is also false.Go to this URL : http : //www.macromedia.com/support/documentation/en/flashplayer/help/settings \ _manager07.html [ macromedia.com ] Enjoy .</tokentext>
<sentencetext>You can't delete them from within the browser without addons or plugins This is also false.Go to this URL:http://www.macromedia.com/support/documentation/en/flashplayer/help/settings\_manager07.html [macromedia.com]Enjoy.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083512</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082288</id>
	<title>Re:OH NO!!!</title>
	<author>wvmarle</author>
	<datestamp>1258035960000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>1</modscore>
	<htmltext><p>Yes I was thinking about the same. Flash vulnerability after Windows critical flaw after Firefox hole... some with patches coming, others remaining unpatched (e.g. DNS problems).
</p><p>It seems to be getting more and more these days. But I can't imagine that software is getting worse - even Microsoft is thinking about security these days.
</p><p>And the flaws are becoming more and more obscure. OK I didn't RTFA but this has to do with users being vulnerable when servers accept file uploads, even if server doesn't do anything with Flash. So the user has to be able to UPload something and as a result RECEIVE something? From the site they upload to I suppose. Weird to say the least but then maybe I should RTFA to find out more.
</p><p>To me the more and more of these issues I see the less it starts to worry me. It's starting to get normal, you start to get used to it, that's not good of course. On the other hand I have the feeling it simply has to do with more awareness, more and more researchers digging around trying out the strangest scenarios to find vulnerabilities. Which in a way is not bad at all.</p></htmltext>
<tokenext>Yes I was thinking about the same .
Flash vulnerability after Windows critical flaw after Firefox hole... some with patches coming , others remaining unpatched ( e.g .
DNS problems ) .
It seems to be getting more and more these days .
But I ca n't imagine that software is getting worse - even Microsoft is thinking about security these days .
And the flaws are becoming more and more obscure .
OK I did n't RTFA but this has to do with users being vulnerable when servers accept file uploads , even if server does n't do anything with Flash .
So the user has to be able to UPload something and as a result RECEIVE something ?
From the site they upload to I suppose .
Weird to say the least but then maybe I should RTFA to find out more .
To me the more and more of these issues I see the less it starts to worry me .
It 's starting to get normal , you start to get used to it , that 's not good of course .
On the other hand I have the feeling it simply has to do with more awareness , more and more researchers digging around trying out the strangest scenarios to find vulnerabilities .
Which in a way is not bad at all .</tokentext>
<sentencetext>Yes I was thinking about the same.
Flash vulnerability after Windows critical flaw after Firefox hole... some with patches coming, others remaining unpatched (e.g.
DNS problems).
It seems to be getting more and more these days.
But I can't imagine that software is getting worse - even Microsoft is thinking about security these days.
And the flaws are becoming more and more obscure.
OK I didn't RTFA but this has to do with users being vulnerable when servers accept file uploads, even if server doesn't do anything with Flash.
So the user has to be able to UPload something and as a result RECEIVE something?
From the site they upload to I suppose.
Weird to say the least but then maybe I should RTFA to find out more.
To me the more and more of these issues I see the less it starts to worry me.
It's starting to get normal, you start to get used to it, that's not good of course.
On the other hand I have the feeling it simply has to do with more awareness, more and more researchers digging around trying out the strangest scenarios to find vulnerabilities.
Which in a way is not bad at all.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081360</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082960</id>
	<title>Re:Uploading a swf with a jpg extension?</title>
	<author>moonbender</author>
	<datestamp>1258041960000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>This does sound like a good fix for the issue, though I'm sure it'll break a lot of sites.</p></htmltext>
<tokenext>This does sound like a good fix for the issue , though I 'm sure it 'll break a lot of sites .</tokentext>
<sentencetext>This does sound like a good fix for the issue, though I'm sure it'll break a lot of sites.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082084</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081542</id>
	<title>Client.</title>
	<author>XanC</author>
	<datestamp>1258030860000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>1</modscore>
	<htmltext><p>It's not a problem for Web sites, except for their users that run crappy software (ie Flash).</p></htmltext>
<tokenext>It 's not a problem for Web sites , except for their users that run crappy software ( ie Flash ) .</tokentext>
<sentencetext>It's not a problem for Web sites, except for their users that run crappy software (ie Flash).</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081958</id>
	<title>Uploading a swf with a jpg extension?</title>
	<author>FsG</author>
	<datestamp>1258033560000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext><p>There's one thing I don't understand from the article.. how can this be triggered through files with other extensions that are served with a proper content type? I mean, let's say you have a phpBB3 (with attachments enabled) forum and some guy uploads a jpg. It's actually a swf in disguise, but phpBB's own checks miss that. Then it's served back to a user with a jpg extension and a jpeg content-type.</p><p>According to the article, the SWF can still be executed under these circumstances, but that seems implausible to me. I would think that the browser would simply invoke the jpeg handler, fail to parse the image data, and throw an error.</p></htmltext>
<tokenext>There 's one thing I do n't understand from the article.. how can this be triggered through files with other extensions that are served with a proper content type ?
I mean , let 's say you have a phpBB3 ( with attachments enabled ) forum and some guy uploads a jpg .
It 's actually a swf in disguise , but phpBB 's own checks miss that .
Then it 's served back to a user with a jpg extension and a jpeg content-type.According to the article , the SWF can still be executed under these circumstances , but that seems implausible to me .
I would think that the browser would simply invoke the jpeg handler , fail to parse the image data , and throw an error .</tokentext>
<sentencetext>There's one thing I don't understand from the article.. how can this be triggered through files with other extensions that are served with a proper content type?
I mean, let's say you have a phpBB3 (with attachments enabled) forum and some guy uploads a jpg.
It's actually a swf in disguise, but phpBB's own checks miss that.
Then it's served back to a user with a jpg extension and a jpeg content-type.According to the article, the SWF can still be executed under these circumstances, but that seems implausible to me.
I would think that the browser would simply invoke the jpeg handler, fail to parse the image data, and throw an error.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30087204</id>
	<title>Re:OH NO!!!</title>
	<author>Anonymous</author>
	<datestamp>1258129860000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>OH NO!!!</p></div><p>I think you mean, AH AHHHHHHH!!!!!!!!!!</p></div>
	</htmltext>
<tokenext>OH NO ! !
! I think you mean , AH AHHHHHHH ! ! ! ! ! ! ! ! !
!</tokentext>
<sentencetext>OH NO!!
!I think you mean, AH AHHHHHHH!!!!!!!!!
!
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081360</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30086090</id>
	<title>another...</title>
	<author>revxul</author>
	<datestamp>1258124460000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Another nail in Flash's coffin. Another Macromedia product Adobe is running into the ground.</p></htmltext>
<tokenext>Another nail in Flash 's coffin .
Another Macromedia product Adobe is running into the ground .</tokentext>
<sentencetext>Another nail in Flash's coffin.
Another Macromedia product Adobe is running into the ground.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081892</id>
	<title>Re:Broken security model</title>
	<author>seanalltogether</author>
	<datestamp>1258033080000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I'm still not exactly clear on the vulnerability itself, all I'm reading is "If I get a swf on your server, when it's executed in the browser it will have originated form that server" What exactly is the vulnerability there? Isn't this how it's supposed to work? Don't you want scripts executing on the domain they load from?

From the article

"If I can get a Flash object onto your server, I can execute scripts in the context of your domain. This is a frighteningly Bad Thing." Is he suggesting Flash should execute in a black hole or something like that? That would make no sense.</htmltext>
<tokenext>I 'm still not exactly clear on the vulnerability itself , all I 'm reading is " If I get a swf on your server , when it 's executed in the browser it will have originated form that server " What exactly is the vulnerability there ?
Is n't this how it 's supposed to work ?
Do n't you want scripts executing on the domain they load from ?
From the article " If I can get a Flash object onto your server , I can execute scripts in the context of your domain .
This is a frighteningly Bad Thing .
" Is he suggesting Flash should execute in a black hole or something like that ?
That would make no sense .</tokentext>
<sentencetext>I'm still not exactly clear on the vulnerability itself, all I'm reading is "If I get a swf on your server, when it's executed in the browser it will have originated form that server" What exactly is the vulnerability there?
Isn't this how it's supposed to work?
Don't you want scripts executing on the domain they load from?
From the article

"If I can get a Flash object onto your server, I can execute scripts in the context of your domain.
This is a frighteningly Bad Thing.
" Is he suggesting Flash should execute in a black hole or something like that?
That would make no sense.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081500</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30091706</id>
	<title>Re:What the...</title>
	<author>Anonymous</author>
	<datestamp>1258106280000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Fun thing to note: The Gmail exploit in TFA uses SWFs that are only available to the attacker's profile.  The solution? Use a CSRF hole to log the user into the attacker's account, load the SWF, and then log him back out.</p><p>If your content is truly only available to one user, you're correct, but web attacks stack nicely.</p></htmltext>
<tokenext>Fun thing to note : The Gmail exploit in TFA uses SWFs that are only available to the attacker 's profile .
The solution ?
Use a CSRF hole to log the user into the attacker 's account , load the SWF , and then log him back out.If your content is truly only available to one user , you 're correct , but web attacks stack nicely .</tokentext>
<sentencetext>Fun thing to note: The Gmail exploit in TFA uses SWFs that are only available to the attacker's profile.
The solution?
Use a CSRF hole to log the user into the attacker's account, load the SWF, and then log him back out.If your content is truly only available to one user, you're correct, but web attacks stack nicely.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085898</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30088794</id>
	<title>Re:Broken security model</title>
	<author>Anonymous</author>
	<datestamp>1258137540000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>It may not be news to you, or the techie crowd, but it gives iphone users a warm fuzzy feeling to know that there missing out on this little problem. Slashdot isn't just for smelly asocial linux geeks!</p></htmltext>
<tokenext>It may not be news to you , or the techie crowd , but it gives iphone users a warm fuzzy feeling to know that there missing out on this little problem .
Slashdot is n't just for smelly asocial linux geeks !</tokentext>
<sentencetext>It may not be news to you, or the techie crowd, but it gives iphone users a warm fuzzy feeling to know that there missing out on this little problem.
Slashdot isn't just for smelly asocial linux geeks!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082162</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081914</id>
	<title>*raises hand*</title>
	<author>Anonymous</author>
	<datestamp>1258033260000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>OK, can we get rid of Flash now?
<br> <br>
No? Alright then, just asking.</htmltext>
<tokenext>OK , can we get rid of Flash now ?
No ? Alright then , just asking .</tokentext>
<sentencetext>OK, can we get rid of Flash now?
No? Alright then, just asking.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083360</id>
	<title>someone will keep me safe</title>
	<author>darrenkopp</author>
	<datestamp>1258045260000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext>good thing firefox will automatically block this plug in for me, to keep me safe. that's what they do right?</htmltext>
<tokenext>good thing firefox will automatically block this plug in for me , to keep me safe .
that 's what they do right ?</tokentext>
<sentencetext>good thing firefox will automatically block this plug in for me, to keep me safe.
that's what they do right?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082820</id>
	<title>Re:the article is bullshit.</title>
	<author>Anonymous</author>
	<datestamp>1258040880000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Ok... so you put an SWF in a Zip/mp3/pdf etc, you still need to make the flash plug-in execute it...<br>It's got the magic bits of the container format (PK), not an SWF (CWS).</p></htmltext>
<tokenext>Ok... so you put an SWF in a Zip/mp3/pdf etc , you still need to make the flash plug-in execute it...It 's got the magic bits of the container format ( PK ) , not an SWF ( CWS ) .</tokentext>
<sentencetext>Ok... so you put an SWF in a Zip/mp3/pdf etc, you still need to make the flash plug-in execute it...It's got the magic bits of the container format (PK), not an SWF (CWS).</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081804</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081812</id>
	<title>Re:the article is bullshit.</title>
	<author>Anonymous</author>
	<datestamp>1258032480000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Wait, what?</p><p>Maybe the web site <em>wants</em> to compromise its users.  Then what?  You know, like a hacked or malicious web site.</p></htmltext>
<tokenext>Wait , what ? Maybe the web site wants to compromise its users .
Then what ?
You know , like a hacked or malicious web site .</tokentext>
<sentencetext>Wait, what?Maybe the web site wants to compromise its users.
Then what?
You know, like a hacked or malicious web site.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081622</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083262</id>
	<title>Re:the article is bullshit.</title>
	<author>Anonymous</author>
	<datestamp>1258044420000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>Slashdot really needs an appallingly ignorant mod. Or maybe just an RTFA.</p></htmltext>
<tokenext>Slashdot really needs an appallingly ignorant mod .
Or maybe just an RTFA .</tokentext>
<sentencetext>Slashdot really needs an appallingly ignorant mod.
Or maybe just an RTFA.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081622</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30091758</id>
	<title>Re:Am I not understanding this correctly?</title>
	<author>owlstead</author>
	<datestamp>1258106520000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Just running webservers for the hell of it is dangerous practice, unless you make sure you don't try and do everything. Do those people really patch their servers on time? Do they rely on their fantastic 99.999 percent available ADSL or cable modem connections for connectivity? And then have people upload stuff to your server - ugh. Only to prevent my upstream of being filled up I would not allow such a thing. Having a separate virtual subdomain is an easy problem to solve regarding all the other issues they may encounter.</p></htmltext>
<tokenext>Just running webservers for the hell of it is dangerous practice , unless you make sure you do n't try and do everything .
Do those people really patch their servers on time ?
Do they rely on their fantastic 99.999 percent available ADSL or cable modem connections for connectivity ?
And then have people upload stuff to your server - ugh .
Only to prevent my upstream of being filled up I would not allow such a thing .
Having a separate virtual subdomain is an easy problem to solve regarding all the other issues they may encounter .</tokentext>
<sentencetext>Just running webservers for the hell of it is dangerous practice, unless you make sure you don't try and do everything.
Do those people really patch their servers on time?
Do they rely on their fantastic 99.999 percent available ADSL or cable modem connections for connectivity?
And then have people upload stuff to your server - ugh.
Only to prevent my upstream of being filled up I would not allow such a thing.
Having a separate virtual subdomain is an easy problem to solve regarding all the other issues they may encounter.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083294</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30088888</id>
	<title>Re:The vulnerability</title>
	<author>Anonymous</author>
	<datestamp>1258137840000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I believe that what you're describing is not what the article is about.  However, it is an interesting vulnerability.  More appears to be here: <a href="http://www.hardened-php.net/library/poking\_new\_holes\_with\_flash\_crossdomain\_policy\_files.html" title="hardened-php.net" rel="nofollow">http://www.hardened-php.net/library/poking\_new\_holes\_with\_flash\_crossdomain\_policy\_files.html</a> [hardened-php.net]</p></htmltext>
<tokenext>I believe that what you 're describing is not what the article is about .
However , it is an interesting vulnerability .
More appears to be here : http : //www.hardened-php.net/library/poking \ _new \ _holes \ _with \ _flash \ _crossdomain \ _policy \ _files.html [ hardened-php.net ]</tokentext>
<sentencetext>I believe that what you're describing is not what the article is about.
However, it is an interesting vulnerability.
More appears to be here: http://www.hardened-php.net/library/poking\_new\_holes\_with\_flash\_crossdomain\_policy\_files.html [hardened-php.net]</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081666</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30089038</id>
	<title>Re:the article is bullshit.</title>
	<author>EndlessNameless</author>
	<datestamp>1258138380000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>//Only an idiot trusts crap uploaded by the general public.//<br>
&nbsp; <br>Some sites by their nature rely on user-supplied content. Facebook, photography enthusiasts, and community blogs all accept files from one user and make them available to another (which is essentially all the site must do in order to bu vulnerable).<br>
&nbsp; <br>In many cases, you can process whatever they send you, but there may be cases where you cannot reencode images, covert document formats, or alter/filter/forbid their files. (Whatever the reason---whether it's a matter of legality, policy, or user expectations.) Or you may simply be hosting files.<br>
&nbsp; <br>Making a user-supplied file available via HTTP is all that you need in order to be exploited. While you may not need to do this, there are legitimate cases where others do.<br>
&nbsp; <br>Ultimately, scanning inbound files for the bits that the Flash plugin uses to identify valid SWF files and removing them should remediate the vulnerability completely---but this shouldn't be necessary because Adobe should have an effective security model.</p></htmltext>
<tokenext>//Only an idiot trusts crap uploaded by the general public.//   Some sites by their nature rely on user-supplied content .
Facebook , photography enthusiasts , and community blogs all accept files from one user and make them available to another ( which is essentially all the site must do in order to bu vulnerable ) .
  In many cases , you can process whatever they send you , but there may be cases where you can not reencode images , covert document formats , or alter/filter/forbid their files .
( Whatever the reason---whether it 's a matter of legality , policy , or user expectations .
) Or you may simply be hosting files .
  Making a user-supplied file available via HTTP is all that you need in order to be exploited .
While you may not need to do this , there are legitimate cases where others do .
  Ultimately , scanning inbound files for the bits that the Flash plugin uses to identify valid SWF files and removing them should remediate the vulnerability completely---but this should n't be necessary because Adobe should have an effective security model .</tokentext>
<sentencetext>//Only an idiot trusts crap uploaded by the general public.//
  Some sites by their nature rely on user-supplied content.
Facebook, photography enthusiasts, and community blogs all accept files from one user and make them available to another (which is essentially all the site must do in order to bu vulnerable).
  In many cases, you can process whatever they send you, but there may be cases where you cannot reencode images, covert document formats, or alter/filter/forbid their files.
(Whatever the reason---whether it's a matter of legality, policy, or user expectations.
) Or you may simply be hosting files.
  Making a user-supplied file available via HTTP is all that you need in order to be exploited.
While you may not need to do this, there are legitimate cases where others do.
  Ultimately, scanning inbound files for the bits that the Flash plugin uses to identify valid SWF files and removing them should remediate the vulnerability completely---but this shouldn't be necessary because Adobe should have an effective security model.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082796</id>
	<title>Re:Client or server?</title>
	<author>mysidia</author>
	<datestamp>1258040640000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>
It can't eat the hosting webserver, but it's running on the clients' computers if they have flash installed....    it means the app could do things like submit forms, e.g.  pretend to be that person,  cause that person to also upload a flash file as their avatar, modified so it "appears" to be the original image of them...  then post in a thread as them.
</p><p>
IOW, potentially wormable.
</p></htmltext>
<tokenext>It ca n't eat the hosting webserver , but it 's running on the clients ' computers if they have flash installed.... it means the app could do things like submit forms , e.g .
pretend to be that person , cause that person to also upload a flash file as their avatar , modified so it " appears " to be the original image of them... then post in a thread as them .
IOW , potentially wormable .</tokentext>
<sentencetext>
It can't eat the hosting webserver, but it's running on the clients' computers if they have flash installed....    it means the app could do things like submit forms, e.g.
pretend to be that person,  cause that person to also upload a flash file as their avatar, modified so it "appears" to be the original image of them...  then post in a thread as them.
IOW, potentially wormable.
</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081594</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081696</id>
	<title>Re:OH NO!!!</title>
	<author>elmedico27</author>
	<datestamp>1258031820000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext>No kidding, call it news when Adobe says "Hey, we're actually going to fix some shit this time!"</htmltext>
<tokenext>No kidding , call it news when Adobe says " Hey , we 're actually going to fix some shit this time !
"</tokentext>
<sentencetext>No kidding, call it news when Adobe says "Hey, we're actually going to fix some shit this time!
"</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081360</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418</id>
	<title>Client or server?</title>
	<author>Dan East</author>
	<datestamp>1258030200000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>"Any site that allows files to be uploaded could be vulnerable"</p><p>"Every user with Flash installed is vulnerable"</p><p>So who is vulnerable? The server or the client?</p></htmltext>
<tokenext>" Any site that allows files to be uploaded could be vulnerable " " Every user with Flash installed is vulnerable " So who is vulnerable ?
The server or the client ?</tokentext>
<sentencetext>"Any site that allows files to be uploaded could be vulnerable""Every user with Flash installed is vulnerable"So who is vulnerable?
The server or the client?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083186</id>
	<title>Re:Flash security has always frightened me</title>
	<author>Anonymous</author>
	<datestamp>1258043700000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Just another example reinforcement of my message above about Oracle's new Flash-based support site:</p><p>And Oracle Support cannot understand why so many Oracle admins and/or their organizations have issues with their shiny new Flash-based support web site to which we upload all kinds of "debugging" files.</p></htmltext>
<tokenext>Just another example reinforcement of my message above about Oracle 's new Flash-based support site : And Oracle Support can not understand why so many Oracle admins and/or their organizations have issues with their shiny new Flash-based support web site to which we upload all kinds of " debugging " files .</tokentext>
<sentencetext>Just another example reinforcement of my message above about Oracle's new Flash-based support site:And Oracle Support cannot understand why so many Oracle admins and/or their organizations have issues with their shiny new Flash-based support web site to which we upload all kinds of "debugging" files.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081540</id>
	<title>Say it ain't so o o o</title>
	<author>Anonymous</author>
	<datestamp>1258030860000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>1</modscore>
	<htmltext>While I love flash, because I've been working with it for so many years (go ActionScript!) I have seen many things it can do. Unfortunately, most people don't take it seriously. While the issue's only come up after a vulnerability has been used, I've been telling people about the awesome power of AS. Because flash allows for so much, I honestly don't know how you can lock it down. But on the plus side, I don't use flash/AS in a conventional manner, so most of the ways I would be able to (ab)use it is not really in reach for most people because they wouldn't even think of the possibilities that flash can do! So security through obscurity I guess would be the best way to say it.</htmltext>
<tokenext>While I love flash , because I 've been working with it for so many years ( go ActionScript !
) I have seen many things it can do .
Unfortunately , most people do n't take it seriously .
While the issue 's only come up after a vulnerability has been used , I 've been telling people about the awesome power of AS .
Because flash allows for so much , I honestly do n't know how you can lock it down .
But on the plus side , I do n't use flash/AS in a conventional manner , so most of the ways I would be able to ( ab ) use it is not really in reach for most people because they would n't even think of the possibilities that flash can do !
So security through obscurity I guess would be the best way to say it .</tokentext>
<sentencetext>While I love flash, because I've been working with it for so many years (go ActionScript!
) I have seen many things it can do.
Unfortunately, most people don't take it seriously.
While the issue's only come up after a vulnerability has been used, I've been telling people about the awesome power of AS.
Because flash allows for so much, I honestly don't know how you can lock it down.
But on the plus side, I don't use flash/AS in a conventional manner, so most of the ways I would be able to (ab)use it is not really in reach for most people because they wouldn't even think of the possibilities that flash can do!
So security through obscurity I guess would be the best way to say it.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082308</id>
	<title>Thanks for reminding me ...</title>
	<author>Anonymous</author>
	<datestamp>1258036140000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>To disable Flash and Shockwave in my main browser.</p><p>It's remarkable how nice it is to surf the modern web without them<nobr> <wbr></nobr>... ads (that I don't already block) have small fonts and easy-to-ignore plain text, I can listen to music and surf, and not have some crappy video start playing in a background window<nobr> <wbr></nobr>... I'm loving it.</p><p>If I need Flash, I'll just surf with one of the alternate browsers for a page or three. The rest of the time<nobr> <wbr></nobr>... bliss. Sheer bliss<nobr> <wbr></nobr>...</p></htmltext>
<tokenext>To disable Flash and Shockwave in my main browser.It 's remarkable how nice it is to surf the modern web without them ... ads ( that I do n't already block ) have small fonts and easy-to-ignore plain text , I can listen to music and surf , and not have some crappy video start playing in a background window ... I 'm loving it.If I need Flash , I 'll just surf with one of the alternate browsers for a page or three .
The rest of the time ... bliss. Sheer bliss .. .</tokentext>
<sentencetext>To disable Flash and Shockwave in my main browser.It's remarkable how nice it is to surf the modern web without them ... ads (that I don't already block) have small fonts and easy-to-ignore plain text, I can listen to music and surf, and not have some crappy video start playing in a background window ... I'm loving it.If I need Flash, I'll just surf with one of the alternate browsers for a page or three.
The rest of the time ... bliss. Sheer bliss ...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082198</id>
	<title>Simple solution</title>
	<author>zcv</author>
	<datestamp>1258035000000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Seems like the simple solution is to serve all non-trusted content from a separate hostname. For example, serve avatars or uploaded files from usercontent.example.com.</p><p>As far as I can tell this would stop the attack nicely. The malicious SWF would execute in the context of a domain you don't care about.</p></htmltext>
<tokenext>Seems like the simple solution is to serve all non-trusted content from a separate hostname .
For example , serve avatars or uploaded files from usercontent.example.com.As far as I can tell this would stop the attack nicely .
The malicious SWF would execute in the context of a domain you do n't care about .</tokentext>
<sentencetext>Seems like the simple solution is to serve all non-trusted content from a separate hostname.
For example, serve avatars or uploaded files from usercontent.example.com.As far as I can tell this would stop the attack nicely.
The malicious SWF would execute in the context of a domain you don't care about.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081500</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082076</id>
	<title>they're too busy...</title>
	<author>Machupo</author>
	<datestamp>1258034280000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>working on an x64 version of flash...</p><p>oh, wait...</p></htmltext>
<tokenext>working on an x64 version of flash...oh , wait.. .</tokentext>
<sentencetext>working on an x64 version of flash...oh, wait...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083294</id>
	<title>Am I not understanding this correctly?</title>
	<author>lidocaineus</author>
	<datestamp>1258044720000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>I get the gist of the article - user flash content shouldn't be served from the same domain as your app.</p><p>But here's the thing - I know many, many people who run webservers just for the hell of it, and give free accounts to friends and such (the ubiquitous public\_html subdirectory for a user, aka ~ ).  So let's say the webserver at example.com has something like a secure login for webmail access or other stuff on there as well.  It's not terribly vital, but it's still in place.  One of the users maliciously uploads one of these flash files, has another person run it, and then that person logs in to another section of example.com - can the attacker then grab that data?  It seems to be the case.</p><p>So what the hell are people in this situation supposed to do?  Is the only solution to move all that user content to a subdomain as well?  Seriously?  At least javascript is confined mostly to a single PAGE - please tell me I'm reading this incorrectly.</p></htmltext>
<tokenext>I get the gist of the article - user flash content should n't be served from the same domain as your app.But here 's the thing - I know many , many people who run webservers just for the hell of it , and give free accounts to friends and such ( the ubiquitous public \ _html subdirectory for a user , aka ~ ) .
So let 's say the webserver at example.com has something like a secure login for webmail access or other stuff on there as well .
It 's not terribly vital , but it 's still in place .
One of the users maliciously uploads one of these flash files , has another person run it , and then that person logs in to another section of example.com - can the attacker then grab that data ?
It seems to be the case.So what the hell are people in this situation supposed to do ?
Is the only solution to move all that user content to a subdomain as well ?
Seriously ? At least javascript is confined mostly to a single PAGE - please tell me I 'm reading this incorrectly .</tokentext>
<sentencetext>I get the gist of the article - user flash content shouldn't be served from the same domain as your app.But here's the thing - I know many, many people who run webservers just for the hell of it, and give free accounts to friends and such (the ubiquitous public\_html subdirectory for a user, aka ~ ).
So let's say the webserver at example.com has something like a secure login for webmail access or other stuff on there as well.
It's not terribly vital, but it's still in place.
One of the users maliciously uploads one of these flash files, has another person run it, and then that person logs in to another section of example.com - can the attacker then grab that data?
It seems to be the case.So what the hell are people in this situation supposed to do?
Is the only solution to move all that user content to a subdomain as well?
Seriously?  At least javascript is confined mostly to a single PAGE - please tell me I'm reading this incorrectly.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084738</id>
	<title>Re:Broken security model</title>
	<author>BerkeleyDude</author>
	<datestamp>1258108260000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>4. Run embedded flash objects in the context of the page they are embedded in, rather than that of the origin server. (Flash objects accessed directly, like javascript run through the javascript: uri handler, have no permissions)</p></div><p>I'd call that the proper solution. JavaScript files are executable, too. Why don't they have the same vulnerabilities as SWFs? Because they run in the context of the page they're embedded in.</p></div>
	</htmltext>
<tokenext>4 .
Run embedded flash objects in the context of the page they are embedded in , rather than that of the origin server .
( Flash objects accessed directly , like javascript run through the javascript : uri handler , have no permissions ) I 'd call that the proper solution .
JavaScript files are executable , too .
Why do n't they have the same vulnerabilities as SWFs ?
Because they run in the context of the page they 're embedded in .</tokentext>
<sentencetext>4.
Run embedded flash objects in the context of the page they are embedded in, rather than that of the origin server.
(Flash objects accessed directly, like javascript run through the javascript: uri handler, have no permissions)I'd call that the proper solution.
JavaScript files are executable, too.
Why don't they have the same vulnerabilities as SWFs?
Because they run in the context of the page they're embedded in.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083316</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082174</id>
	<title>So is there an "immune system" file scanner?</title>
	<author>presidenteloco</author>
	<datestamp>1258034820000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>That can look for a signature in the uploaded file bytes that means the file is a swf? or a swf-readable policy xml file?</p><p>Anyone know of code that does that? Maybe Adobe would be kind enough to release some Java code and python<br>code for detecting their own files.</p></htmltext>
<tokenext>That can look for a signature in the uploaded file bytes that means the file is a swf ?
or a swf-readable policy xml file ? Anyone know of code that does that ?
Maybe Adobe would be kind enough to release some Java code and pythoncode for detecting their own files .</tokentext>
<sentencetext>That can look for a signature in the uploaded file bytes that means the file is a swf?
or a swf-readable policy xml file?Anyone know of code that does that?
Maybe Adobe would be kind enough to release some Java code and pythoncode for detecting their own files.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30094466</id>
	<title>Re:Flash security has always frightened me</title>
	<author>Anonymous</author>
	<datestamp>1258126380000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>These are two great examples of good intentions having unexpected consequences: XMLHttpRequest and Flash policy files.</p><p>Because XHR doesn't allow cross-domain requests, web applications have adopted workarounds like cross-domain JSON via dynamic SCRIPT tags. This is horrible for client security.  It requires that the client load script from a different domain and execute it (in the context of the client's domain!) just to get some web service data.  That's really scary.</p><p>Flash, OTOH, created a way for servers to opt in to sharing data across-domains via policy files. That's actually quite logical, as it's really what you want to do.</p><p>The problem now is that sites need to police against having policy files shoved on their sites.  But this problem already existed. You wouldn't let a user  replace your robots.txt file.  You wouldn't let a user upload an HTML+JS file that could then access the same-domain server data then post it across domains (because cross-domain post is permitted in the browser).</p></htmltext>
<tokenext>These are two great examples of good intentions having unexpected consequences : XMLHttpRequest and Flash policy files.Because XHR does n't allow cross-domain requests , web applications have adopted workarounds like cross-domain JSON via dynamic SCRIPT tags .
This is horrible for client security .
It requires that the client load script from a different domain and execute it ( in the context of the client 's domain !
) just to get some web service data .
That 's really scary.Flash , OTOH , created a way for servers to opt in to sharing data across-domains via policy files .
That 's actually quite logical , as it 's really what you want to do.The problem now is that sites need to police against having policy files shoved on their sites .
But this problem already existed .
You would n't let a user replace your robots.txt file .
You would n't let a user upload an HTML + JS file that could then access the same-domain server data then post it across domains ( because cross-domain post is permitted in the browser ) .</tokentext>
<sentencetext>These are two great examples of good intentions having unexpected consequences: XMLHttpRequest and Flash policy files.Because XHR doesn't allow cross-domain requests, web applications have adopted workarounds like cross-domain JSON via dynamic SCRIPT tags.
This is horrible for client security.
It requires that the client load script from a different domain and execute it (in the context of the client's domain!
) just to get some web service data.
That's really scary.Flash, OTOH, created a way for servers to opt in to sharing data across-domains via policy files.
That's actually quite logical, as it's really what you want to do.The problem now is that sites need to police against having policy files shoved on their sites.
But this problem already existed.
You wouldn't let a user  replace your robots.txt file.
You wouldn't let a user upload an HTML+JS file that could then access the same-domain server data then post it across domains (because cross-domain post is permitted in the browser).</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30132710</id>
	<title>I'm on Ubuntu.</title>
	<author>haxor.dk</author>
	<datestamp>1258488480000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I use swf-dec and gnash.</p><p>Am I vulnerable?</p><p>Ok, that was retorical - bwahahah!</p></htmltext>
<tokenext>I use swf-dec and gnash.Am I vulnerable ? Ok , that was retorical - bwahahah !</tokentext>
<sentencetext>I use swf-dec and gnash.Am I vulnerable?Ok, that was retorical - bwahahah!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085748</id>
	<title>Re:Client or server?</title>
	<author>Anonymous</author>
	<datestamp>1258121940000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><blockquote><div><p>The best way of fixing this would be for Flash to check for public key file in a well-known location on the server and refuse to run any Flash files that are not accompanied by a signature from the corresponding private key (or run them but don't allow them to access any external resources).</p></div></blockquote><p>Or, oh, I don't know... just have flash not allow uploading/serving flash content, the same way you don't allow uploading exes?</p></div>
	</htmltext>
<tokenext>The best way of fixing this would be for Flash to check for public key file in a well-known location on the server and refuse to run any Flash files that are not accompanied by a signature from the corresponding private key ( or run them but do n't allow them to access any external resources ) .Or , oh , I do n't know... just have flash not allow uploading/serving flash content , the same way you do n't allow uploading exes ?</tokentext>
<sentencetext>The best way of fixing this would be for Flash to check for public key file in a well-known location on the server and refuse to run any Flash files that are not accompanied by a signature from the corresponding private key (or run them but don't allow them to access any external resources).Or, oh, I don't know... just have flash not allow uploading/serving flash content, the same way you don't allow uploading exes?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081626</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083376</id>
	<title>Re:Flashblock</title>
	<author>Anonymous</author>
	<datestamp>1258045500000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Why?</p></htmltext>
<tokenext>Why ?</tokentext>
<sentencetext>Why?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081704</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144</id>
	<title>Flash security has always frightened me</title>
	<author>QuoteMstr</author>
	<datestamp>1258034640000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>I've been worried about Flash security for a long time now. I'd like to point out three features of Flash that bother me.</p><p>First, Flash allows a web application to <a href="http://www.jeffothy.com/weblog/clipboard-copy/" title="jeffothy.com">paste data to the clipboard</a> [jeffothy.com] even if the browser itself forbids this. Of the major browsers, only IE allows applications to directly set the clipboard content.</p><p>Second, Flash has an <a href="http://www.xml.com/pub/a/2006/06/28/flashxmlhttprequest-proxy-to-the-rescue.html" title="xml.com">XMLHttpRequest equivalent</a> [xml.com] with a <a href="http://www.adobe.com/devnet/flashplayer/articles/cross\_domain\_policy.html" title="adobe.com">lax security policy</a> [adobe.com]. Cross-domain retrieval is controlled by an XML control file listing permissible origins.</p><p>Finally, Flash has its own cookie system. These Flash cookies are hidden from the user, and require <a href="http://www.fightidentitytheft.com/blog/new-breed-super-cookie-defies-removal-almost" title="fightidentitytheft.com">special tools</a> [fightidentitytheft.com] to remove.</p><p>These features are secure <i>in themselves</i>, but are enablers: they give attackers the means to exploit other vulnerabilities.</p><p>Unfortunately, this cavalier attitude fits Adobe's business model. Lax security is as much a feature of Flash as its vector graphics. Flash allows web developers "get shit done" with no regard for the security of the web ecosystem as a whole. Web developers then come to rely on Flash, which increases the adoption of Flash Player among users, which in turn increases the value of Adobe's authoring tools. Being insecure is lucrative, up to the point that the vulnerabilities become so egregious that users disable Flash.</p><p>On the other hand, browser vendors seem to take a mostly-conservative approach to security (don't laugh yet): consider XMLHttpRequest: sure, its same-origin restriction on the target URL is inconvenient, and the restriction might have been <a href="http://www.w3.org/TR/cors/" title="w3.org">loosened</a> [w3.org] while remaining secure. But this same prudent restriction has also prevented many attacks. Browser vendors have the right  incentives because users have a realistic choice of browsers. Flash is an all-or-nothing affair.</p><p>I wish I had an answer. Hopefully, HTML 5 will become widely supported enough that websites won't feel compelled to use Flash for graphics and storage, and eventually Flash's market penetration will sink below the point that web developers can consider it a viable way to circumvent browser security.</p></htmltext>
<tokenext>I 've been worried about Flash security for a long time now .
I 'd like to point out three features of Flash that bother me.First , Flash allows a web application to paste data to the clipboard [ jeffothy.com ] even if the browser itself forbids this .
Of the major browsers , only IE allows applications to directly set the clipboard content.Second , Flash has an XMLHttpRequest equivalent [ xml.com ] with a lax security policy [ adobe.com ] .
Cross-domain retrieval is controlled by an XML control file listing permissible origins.Finally , Flash has its own cookie system .
These Flash cookies are hidden from the user , and require special tools [ fightidentitytheft.com ] to remove.These features are secure in themselves , but are enablers : they give attackers the means to exploit other vulnerabilities.Unfortunately , this cavalier attitude fits Adobe 's business model .
Lax security is as much a feature of Flash as its vector graphics .
Flash allows web developers " get shit done " with no regard for the security of the web ecosystem as a whole .
Web developers then come to rely on Flash , which increases the adoption of Flash Player among users , which in turn increases the value of Adobe 's authoring tools .
Being insecure is lucrative , up to the point that the vulnerabilities become so egregious that users disable Flash.On the other hand , browser vendors seem to take a mostly-conservative approach to security ( do n't laugh yet ) : consider XMLHttpRequest : sure , its same-origin restriction on the target URL is inconvenient , and the restriction might have been loosened [ w3.org ] while remaining secure .
But this same prudent restriction has also prevented many attacks .
Browser vendors have the right incentives because users have a realistic choice of browsers .
Flash is an all-or-nothing affair.I wish I had an answer .
Hopefully , HTML 5 will become widely supported enough that websites wo n't feel compelled to use Flash for graphics and storage , and eventually Flash 's market penetration will sink below the point that web developers can consider it a viable way to circumvent browser security .</tokentext>
<sentencetext>I've been worried about Flash security for a long time now.
I'd like to point out three features of Flash that bother me.First, Flash allows a web application to paste data to the clipboard [jeffothy.com] even if the browser itself forbids this.
Of the major browsers, only IE allows applications to directly set the clipboard content.Second, Flash has an XMLHttpRequest equivalent [xml.com] with a lax security policy [adobe.com].
Cross-domain retrieval is controlled by an XML control file listing permissible origins.Finally, Flash has its own cookie system.
These Flash cookies are hidden from the user, and require special tools [fightidentitytheft.com] to remove.These features are secure in themselves, but are enablers: they give attackers the means to exploit other vulnerabilities.Unfortunately, this cavalier attitude fits Adobe's business model.
Lax security is as much a feature of Flash as its vector graphics.
Flash allows web developers "get shit done" with no regard for the security of the web ecosystem as a whole.
Web developers then come to rely on Flash, which increases the adoption of Flash Player among users, which in turn increases the value of Adobe's authoring tools.
Being insecure is lucrative, up to the point that the vulnerabilities become so egregious that users disable Flash.On the other hand, browser vendors seem to take a mostly-conservative approach to security (don't laugh yet): consider XMLHttpRequest: sure, its same-origin restriction on the target URL is inconvenient, and the restriction might have been loosened [w3.org] while remaining secure.
But this same prudent restriction has also prevented many attacks.
Browser vendors have the right  incentives because users have a realistic choice of browsers.
Flash is an all-or-nothing affair.I wish I had an answer.
Hopefully, HTML 5 will become widely supported enough that websites won't feel compelled to use Flash for graphics and storage, and eventually Flash's market penetration will sink below the point that web developers can consider it a viable way to circumvent browser security.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081626</id>
	<title>Re:Client or server?</title>
	<author>TheRaven64</author>
	<datestamp>1258031340000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>4</modscore>
	<htmltext><p>From what I understood skimming TFA, it's a cross-site scripting vulnerability, meaning the client's account on the server is vulnerable.  I upload EvilFlash.swf to some site that allows downloads.  Then I send you a link to this file.  Your browser opens the<nobr> <wbr></nobr>.swf and runs it with the plugin.  Unfortunately for you, the plug in runs it in the hosting site's domain, so it can access anything that you can access on the download site.  If the site is something like PutYourFaceInTheBook.com then it will be able to access everything in your account and even modify everything there.  It could then send links to everyone else on your friends list and if they click on them then the same thing happens.  </p><p>
The best way of fixing this would be for Flash to check for public key file in a well-known location on the server and refuse to run any Flash files that are not accompanied by a signature from the corresponding private key (or run them but don't allow them to access any external resources).</p></htmltext>
<tokenext>From what I understood skimming TFA , it 's a cross-site scripting vulnerability , meaning the client 's account on the server is vulnerable .
I upload EvilFlash.swf to some site that allows downloads .
Then I send you a link to this file .
Your browser opens the .swf and runs it with the plugin .
Unfortunately for you , the plug in runs it in the hosting site 's domain , so it can access anything that you can access on the download site .
If the site is something like PutYourFaceInTheBook.com then it will be able to access everything in your account and even modify everything there .
It could then send links to everyone else on your friends list and if they click on them then the same thing happens .
The best way of fixing this would be for Flash to check for public key file in a well-known location on the server and refuse to run any Flash files that are not accompanied by a signature from the corresponding private key ( or run them but do n't allow them to access any external resources ) .</tokentext>
<sentencetext>From what I understood skimming TFA, it's a cross-site scripting vulnerability, meaning the client's account on the server is vulnerable.
I upload EvilFlash.swf to some site that allows downloads.
Then I send you a link to this file.
Your browser opens the .swf and runs it with the plugin.
Unfortunately for you, the plug in runs it in the hosting site's domain, so it can access anything that you can access on the download site.
If the site is something like PutYourFaceInTheBook.com then it will be able to access everything in your account and even modify everything there.
It could then send links to everyone else on your friends list and if they click on them then the same thing happens.
The best way of fixing this would be for Flash to check for public key file in a well-known location on the server and refuse to run any Flash files that are not accompanied by a signature from the corresponding private key (or run them but don't allow them to access any external resources).</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085774</id>
	<title>Re:Client or server?</title>
	<author>Civil\_Disobedient</author>
	<datestamp>1258122240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>+1 Absolutely correct.</p><p>This only affects sites stupid enough to re-serve a particular user's content to everyone.</p><p>If, for example, you are a Flex developer and allow users to upload images (or even... GASP! SWF files!) to the server, but only allow <i>that particular user</i> to see the file, you're completely safe.  In fact, you're just ensuring the malicious parties are the only ones who might ever be affected by their malicious software.  It's almost poetic.</p></htmltext>
<tokenext>+ 1 Absolutely correct.This only affects sites stupid enough to re-serve a particular user 's content to everyone.If , for example , you are a Flex developer and allow users to upload images ( or even... GASP ! SWF files !
) to the server , but only allow that particular user to see the file , you 're completely safe .
In fact , you 're just ensuring the malicious parties are the only ones who might ever be affected by their malicious software .
It 's almost poetic .</tokentext>
<sentencetext>+1 Absolutely correct.This only affects sites stupid enough to re-serve a particular user's content to everyone.If, for example, you are a Flex developer and allow users to upload images (or even... GASP! SWF files!
) to the server, but only allow that particular user to see the file, you're completely safe.
In fact, you're just ensuring the malicious parties are the only ones who might ever be affected by their malicious software.
It's almost poetic.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081926</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082084</id>
	<title>Re:Uploading a swf with a jpg extension?</title>
	<author>Lobster Quadrille</author>
	<datestamp>1258034280000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>3</modscore>
	<htmltext><p>You'd think so, but you'd be wrong. Embedded content can specify the content-type in HTML (in order for the browser to know what plugin to use to load that content), and Flash trusts that declaration, not the content-type supplied by the server.  A properly-designed plugin should trust the server, not the HTML that calls it.</p></htmltext>
<tokenext>You 'd think so , but you 'd be wrong .
Embedded content can specify the content-type in HTML ( in order for the browser to know what plugin to use to load that content ) , and Flash trusts that declaration , not the content-type supplied by the server .
A properly-designed plugin should trust the server , not the HTML that calls it .</tokentext>
<sentencetext>You'd think so, but you'd be wrong.
Embedded content can specify the content-type in HTML (in order for the browser to know what plugin to use to load that content), and Flash trusts that declaration, not the content-type supplied by the server.
A properly-designed plugin should trust the server, not the HTML that calls it.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081958</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081804</id>
	<title>Re:the article is bullshit.</title>
	<author>Anonymous</author>
	<datestamp>1258032420000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>5</modscore>
	<htmltext><p>You, sir, are entitled to the Arrogant Uninformed Derogatory Comment of The Day Award. Here's why, a quote from TFA:</p><p><div class="quote"><p>It gets worse. Uploading a SWF with a<nobr> <wbr></nobr>.jpg extension, or a forged content-type header will get you a long way, but what if you can upload perfectly valid files with malicious content? Remember GIFAR? The basic premise is this: Overload a GIF file with a JAR archive. Specifically, the ZIP file format can be appended to any binary file and still be valid. The GIF format, in turn, can have any binary file appended to it. The JAR archive, being essentially a ZIP file, can be combined with a GIF image to create a a file that is both a valid image and a perfectly valid JAR archive. While SWF files cannot be appended to other formats, the inverse of the GIFAR exploit works- any file format in the ZIP family can have a SWF file prepended to it. This means that ZIP archives, self-extracting executables, Microsoft Office Open XML documents, XPI files, and, if you want to be ridiculous, even JAR files can all be crafted to contain executable SWFs. Additionally, if you don't care too much about compliance with standards (and what attacker does?), many server-side content validation libraries will also allow malformed PDFs, MP3s, and other media formats, so long as you are careful not to mangle them too much. This content overloading technique has countless variations, but the end result is always the same: no matter how good your validation routines, you simply cannot trust user-supplied content.</p></div><p>Short of rewriting everything that has anything to do with several popular formats, you're out of luck.</p><p>How, you do ask, is such a prepared file going to be uploaded? A worm that intercepts uploads in the browser, for example. I was able to come up with this in two minuttes, I'm sure that any self-respecting blackhat hacker will as well.</p></div>
	</htmltext>
<tokenext>You , sir , are entitled to the Arrogant Uninformed Derogatory Comment of The Day Award .
Here 's why , a quote from TFA : It gets worse .
Uploading a SWF with a .jpg extension , or a forged content-type header will get you a long way , but what if you can upload perfectly valid files with malicious content ?
Remember GIFAR ?
The basic premise is this : Overload a GIF file with a JAR archive .
Specifically , the ZIP file format can be appended to any binary file and still be valid .
The GIF format , in turn , can have any binary file appended to it .
The JAR archive , being essentially a ZIP file , can be combined with a GIF image to create a a file that is both a valid image and a perfectly valid JAR archive .
While SWF files can not be appended to other formats , the inverse of the GIFAR exploit works- any file format in the ZIP family can have a SWF file prepended to it .
This means that ZIP archives , self-extracting executables , Microsoft Office Open XML documents , XPI files , and , if you want to be ridiculous , even JAR files can all be crafted to contain executable SWFs .
Additionally , if you do n't care too much about compliance with standards ( and what attacker does ?
) , many server-side content validation libraries will also allow malformed PDFs , MP3s , and other media formats , so long as you are careful not to mangle them too much .
This content overloading technique has countless variations , but the end result is always the same : no matter how good your validation routines , you simply can not trust user-supplied content.Short of rewriting everything that has anything to do with several popular formats , you 're out of luck.How , you do ask , is such a prepared file going to be uploaded ?
A worm that intercepts uploads in the browser , for example .
I was able to come up with this in two minuttes , I 'm sure that any self-respecting blackhat hacker will as well .</tokentext>
<sentencetext>You, sir, are entitled to the Arrogant Uninformed Derogatory Comment of The Day Award.
Here's why, a quote from TFA:It gets worse.
Uploading a SWF with a .jpg extension, or a forged content-type header will get you a long way, but what if you can upload perfectly valid files with malicious content?
Remember GIFAR?
The basic premise is this: Overload a GIF file with a JAR archive.
Specifically, the ZIP file format can be appended to any binary file and still be valid.
The GIF format, in turn, can have any binary file appended to it.
The JAR archive, being essentially a ZIP file, can be combined with a GIF image to create a a file that is both a valid image and a perfectly valid JAR archive.
While SWF files cannot be appended to other formats, the inverse of the GIFAR exploit works- any file format in the ZIP family can have a SWF file prepended to it.
This means that ZIP archives, self-extracting executables, Microsoft Office Open XML documents, XPI files, and, if you want to be ridiculous, even JAR files can all be crafted to contain executable SWFs.
Additionally, if you don't care too much about compliance with standards (and what attacker does?
), many server-side content validation libraries will also allow malformed PDFs, MP3s, and other media formats, so long as you are careful not to mangle them too much.
This content overloading technique has countless variations, but the end result is always the same: no matter how good your validation routines, you simply cannot trust user-supplied content.Short of rewriting everything that has anything to do with several popular formats, you're out of luck.How, you do ask, is such a prepared file going to be uploaded?
A worm that intercepts uploads in the browser, for example.
I was able to come up with this in two minuttes, I'm sure that any self-respecting blackhat hacker will as well.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081622</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082770</id>
	<title>Adobie Gillis?</title>
	<author>freelunch</author>
	<datestamp>1258040460000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Whenever I see yet another Flash security issue, I wonder if <a href="http://ecx.images-amazon.com/images/I/41CJVE7V91L.\_SL500\_AA240\_.jpg" title="images-amazon.com">Adobie Gillis</a> [images-amazon.com] is their CEO, or maybe they should change their name.</p></htmltext>
<tokenext>Whenever I see yet another Flash security issue , I wonder if Adobie Gillis [ images-amazon.com ] is their CEO , or maybe they should change their name .</tokentext>
<sentencetext>Whenever I see yet another Flash security issue, I wonder if Adobie Gillis [images-amazon.com] is their CEO, or maybe they should change their name.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084346</id>
	<title>user agent check?</title>
	<author>flasheru</author>
	<datestamp>1258144800000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>So now would be the right time to change the label on the server side user agent check from paranoid to advisable?</htmltext>
<tokenext>So now would be the right time to change the label on the server side user agent check from paranoid to advisable ?</tokentext>
<sentencetext>So now would be the right time to change the label on the server side user agent check from paranoid to advisable?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081360</id>
	<title>OH NO!!!</title>
	<author>Narcocide</author>
	<datestamp>1258029900000</datestamp>
	<modclass>Funny</modclass>
	<modscore>4</modscore>
	<htmltext><p>Someone has found an issue with Flash?!  Say it isn't so...</p></htmltext>
<tokenext>Someone has found an issue with Flash ? !
Say it is n't so.. .</tokentext>
<sentencetext>Someone has found an issue with Flash?!
Say it isn't so...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081856</id>
	<title>If Adobe doesn't pick uo it's pace</title>
	<author>Anonymous</author>
	<datestamp>1258032780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>they will be devoured by silverlight.</p></htmltext>
<tokenext>they will be devoured by silverlight .</tokentext>
<sentencetext>they will be devoured by silverlight.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083380</id>
	<title>Re:the article is bullshit.</title>
	<author>Anonymous</author>
	<datestamp>1258045500000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>1</modscore>
	<htmltext><p>
The article is bullshit, and your comment is also misinformed.  Read what you wrote after the stuff you quoted:</p><blockquote><div><p>Short of rewriting everything that has anything to do with several popular formats, you're out of luck</p></div>
</blockquote><p>
The very first rule is "be restrictive in what you allow."
</p><p>
Anyone uploading an swf with a jpg extension is going to find that they're fucked on anything I'd write, simply because when I call code to resize it and convert it to a png, the swf is going to get really mangled, isn't it<nobr> <wbr></nobr>... so your renaming "sploit" isn't going to work.
</p><blockquote><div><p>This means that ZIP archives, self-extracting executables, Microsoft Office Open XML documents, XPI files, and, if you want to be ridiculous, even JAR files can all be crafted to contain executable SWFs</p></div>
</blockquote><p>
If it's not running on the server, and it's not running in the client browser, I don't give a shit what it contains - it's not my problem, and it doesn't affect what I'm doing.  I'm not going to use jars from joe q public in my code, it'll be a cold day in hell when I use MSOOXML, xpi files suck, and I'm certainly not going to take an untrusted zip file, unzip it, and use it.  And the stuff you quote agrees with me:</p><blockquote><div><p>the end result is always the same: no matter how good your validation routines, you simply cannot trust user-supplied content.</p></div>
</blockquote><p>
Only an idiot trusts crap uploaded by the general public.</p><blockquote><div><p>How, you do ask, is such a prepared file going to be uploaded? A worm that intercepts uploads in the browser, for example. I was able to come up with this in two minuttes (sic), I'm sure that any self-respecting blackhat hacker will as well.</p></div>
</blockquote><p>
The source is irrelevant - the simple fact is that if you trust end-user-supplied data, you're either on drugs, or you should be.  BTW - Your statement  "worm that intercepts uploads in the browser" doesn't even parse. Go back to your bong.</p></div>
	</htmltext>
<tokenext>The article is bullshit , and your comment is also misinformed .
Read what you wrote after the stuff you quoted : Short of rewriting everything that has anything to do with several popular formats , you 're out of luck The very first rule is " be restrictive in what you allow .
" Anyone uploading an swf with a jpg extension is going to find that they 're fucked on anything I 'd write , simply because when I call code to resize it and convert it to a png , the swf is going to get really mangled , is n't it ... so your renaming " sploit " is n't going to work .
This means that ZIP archives , self-extracting executables , Microsoft Office Open XML documents , XPI files , and , if you want to be ridiculous , even JAR files can all be crafted to contain executable SWFs If it 's not running on the server , and it 's not running in the client browser , I do n't give a shit what it contains - it 's not my problem , and it does n't affect what I 'm doing .
I 'm not going to use jars from joe q public in my code , it 'll be a cold day in hell when I use MSOOXML , xpi files suck , and I 'm certainly not going to take an untrusted zip file , unzip it , and use it .
And the stuff you quote agrees with me : the end result is always the same : no matter how good your validation routines , you simply can not trust user-supplied content .
Only an idiot trusts crap uploaded by the general public.How , you do ask , is such a prepared file going to be uploaded ?
A worm that intercepts uploads in the browser , for example .
I was able to come up with this in two minuttes ( sic ) , I 'm sure that any self-respecting blackhat hacker will as well .
The source is irrelevant - the simple fact is that if you trust end-user-supplied data , you 're either on drugs , or you should be .
BTW - Your statement " worm that intercepts uploads in the browser " does n't even parse .
Go back to your bong .</tokentext>
<sentencetext>
The article is bullshit, and your comment is also misinformed.
Read what you wrote after the stuff you quoted:Short of rewriting everything that has anything to do with several popular formats, you're out of luck

The very first rule is "be restrictive in what you allow.
"

Anyone uploading an swf with a jpg extension is going to find that they're fucked on anything I'd write, simply because when I call code to resize it and convert it to a png, the swf is going to get really mangled, isn't it ... so your renaming "sploit" isn't going to work.
This means that ZIP archives, self-extracting executables, Microsoft Office Open XML documents, XPI files, and, if you want to be ridiculous, even JAR files can all be crafted to contain executable SWFs

If it's not running on the server, and it's not running in the client browser, I don't give a shit what it contains - it's not my problem, and it doesn't affect what I'm doing.
I'm not going to use jars from joe q public in my code, it'll be a cold day in hell when I use MSOOXML, xpi files suck, and I'm certainly not going to take an untrusted zip file, unzip it, and use it.
And the stuff you quote agrees with me:the end result is always the same: no matter how good your validation routines, you simply cannot trust user-supplied content.
Only an idiot trusts crap uploaded by the general public.How, you do ask, is such a prepared file going to be uploaded?
A worm that intercepts uploads in the browser, for example.
I was able to come up with this in two minuttes (sic), I'm sure that any self-respecting blackhat hacker will as well.
The source is irrelevant - the simple fact is that if you trust end-user-supplied data, you're either on drugs, or you should be.
BTW - Your statement  "worm that intercepts uploads in the browser" doesn't even parse.
Go back to your bong.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081804</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081586</id>
	<title>Adobe suck!</title>
	<author>dandart</author>
	<datestamp>1258031100000</datestamp>
	<modclass>Troll</modclass>
	<modscore>-1</modscore>
	<htmltext>im in ur b0x0rz h4xring ur flashzorz</htmltext>
<tokenext>im in ur b0x0rz h4xring ur flashzorz</tokentext>
<sentencetext>im in ur b0x0rz h4xring ur flashzorz</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081682</id>
	<title>DO YOU KNOW WHAT TIME IT IS CHILDREN ??</title>
	<author>Anonymous</author>
	<datestamp>1258031700000</datestamp>
	<modclass>Troll</modclass>
	<modscore>-1</modscore>
	<htmltext><p>It's Friday the 13th, children.</p><p>Yours,<br>The one and only cat named Hercules</p></htmltext>
<tokenext>It 's Friday the 13th , children.Yours,The one and only cat named Hercules</tokentext>
<sentencetext>It's Friday the 13th, children.Yours,The one and only cat named Hercules</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082218</id>
	<title>Oh no!</title>
	<author>Solokron</author>
	<datestamp>1258035300000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>Oh no, a hacker saw my obligatory wacky animated avatar targeting the monthly pop culture event/person/thing/etc/insert/cmdr\_taco/bad news everyone/virgin nerd/all your base belongs to us.</htmltext>
<tokenext>Oh no , a hacker saw my obligatory wacky animated avatar targeting the monthly pop culture event/person/thing/etc/insert/cmdr \ _taco/bad news everyone/virgin nerd/all your base belongs to us .</tokentext>
<sentencetext>Oh no, a hacker saw my obligatory wacky animated avatar targeting the monthly pop culture event/person/thing/etc/insert/cmdr\_taco/bad news everyone/virgin nerd/all your base belongs to us.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083794</id>
	<title>Re:NEWS FLASH: Web sites need to screen uploads</title>
	<author>drew</author>
	<datestamp>1258051200000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext><p>You missed the point.  Flash is not equally bad as JavaScript, it's far worse.</p><p>Suppose I'm an attacker, and I upload a malicious javascript file to www.victimsite.example.  I then reference it in a site I control www.seemingly-innocuous.example, the javascript file runs in the www.seemingly-innocuous.example domain sandbox.  Even though the file was loaded from www.victimsite.example, it can't actually access anything on the victim's site.  In order for that to happen I would have to <em>also</em> upload a malicious html document to www.victimsite.example, and convince unwary surfers to visit this new page.</p><p>Now I decide to switch to flash.  I upload a malicious SWF to www.victimsite.example, and embed it into a page at www.seemingly-innocuous.example.  Unlike the JavaScript example, my malicious SWF now runs in the www.victimsite.example domain security sandbox, and can make any requests it wants to the victimsite.example domain without the visitor to my seemingly innocuous domain being any the wiser.</p><p>It is a big deal, and it is nothing at all like JavaScript.  But it's also not remotely new.  I'm having a hard time finding anything in this article that hasn't been widely know for some time now.  It even mentions attacks that have been going on for years.</p></htmltext>
<tokenext>You missed the point .
Flash is not equally bad as JavaScript , it 's far worse.Suppose I 'm an attacker , and I upload a malicious javascript file to www.victimsite.example .
I then reference it in a site I control www.seemingly-innocuous.example , the javascript file runs in the www.seemingly-innocuous.example domain sandbox .
Even though the file was loaded from www.victimsite.example , it ca n't actually access anything on the victim 's site .
In order for that to happen I would have to also upload a malicious html document to www.victimsite.example , and convince unwary surfers to visit this new page.Now I decide to switch to flash .
I upload a malicious SWF to www.victimsite.example , and embed it into a page at www.seemingly-innocuous.example .
Unlike the JavaScript example , my malicious SWF now runs in the www.victimsite.example domain security sandbox , and can make any requests it wants to the victimsite.example domain without the visitor to my seemingly innocuous domain being any the wiser.It is a big deal , and it is nothing at all like JavaScript .
But it 's also not remotely new .
I 'm having a hard time finding anything in this article that has n't been widely know for some time now .
It even mentions attacks that have been going on for years .</tokentext>
<sentencetext>You missed the point.
Flash is not equally bad as JavaScript, it's far worse.Suppose I'm an attacker, and I upload a malicious javascript file to www.victimsite.example.
I then reference it in a site I control www.seemingly-innocuous.example, the javascript file runs in the www.seemingly-innocuous.example domain sandbox.
Even though the file was loaded from www.victimsite.example, it can't actually access anything on the victim's site.
In order for that to happen I would have to also upload a malicious html document to www.victimsite.example, and convince unwary surfers to visit this new page.Now I decide to switch to flash.
I upload a malicious SWF to www.victimsite.example, and embed it into a page at www.seemingly-innocuous.example.
Unlike the JavaScript example, my malicious SWF now runs in the www.victimsite.example domain security sandbox, and can make any requests it wants to the victimsite.example domain without the visitor to my seemingly innocuous domain being any the wiser.It is a big deal, and it is nothing at all like JavaScript.
But it's also not remotely new.
I'm having a hard time finding anything in this article that hasn't been widely know for some time now.
It even mentions attacks that have been going on for years.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081630</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082162</id>
	<title>Re:Broken security model</title>
	<author>Anonymous</author>
	<datestamp>1258034760000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>Adobe's answer is just the greatest kind of cop out. "Websites just need to make sure to check all uploaded material".</p></div></blockquote><p>Just because you have a seething hated of Adobe and didn't bother to RTFM doesn't mean Adobe is wrong.</p><p>I'm no security expert, but the issue seems to boil down to:</p><p>1) It might be considered a security flaw by some, but it's not a bug and it's not even unique to Flash. Everything is working as designed.<br>2) Yes, in 2009, website programmers <b>still</b> have to throughly validate and/or sanitize <b>all</b> data coming from untrusted sources, no exceptions. Even if it's hard.</p><p>Bottom line: This is not news. Some random security researcher took a known caveat in a fully-documented system and tried to sensationalize it, that's all.</p></div>
	</htmltext>
<tokenext>Adobe 's answer is just the greatest kind of cop out .
" Websites just need to make sure to check all uploaded material " .Just because you have a seething hated of Adobe and did n't bother to RTFM does n't mean Adobe is wrong.I 'm no security expert , but the issue seems to boil down to : 1 ) It might be considered a security flaw by some , but it 's not a bug and it 's not even unique to Flash .
Everything is working as designed.2 ) Yes , in 2009 , website programmers still have to throughly validate and/or sanitize all data coming from untrusted sources , no exceptions .
Even if it 's hard.Bottom line : This is not news .
Some random security researcher took a known caveat in a fully-documented system and tried to sensationalize it , that 's all .</tokentext>
<sentencetext>Adobe's answer is just the greatest kind of cop out.
"Websites just need to make sure to check all uploaded material".Just because you have a seething hated of Adobe and didn't bother to RTFM doesn't mean Adobe is wrong.I'm no security expert, but the issue seems to boil down to:1) It might be considered a security flaw by some, but it's not a bug and it's not even unique to Flash.
Everything is working as designed.2) Yes, in 2009, website programmers still have to throughly validate and/or sanitize all data coming from untrusted sources, no exceptions.
Even if it's hard.Bottom line: This is not news.
Some random security researcher took a known caveat in a fully-documented system and tried to sensationalize it, that's all.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081500</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081622</id>
	<title>the article is bullshit.</title>
	<author>Anonymous</author>
	<datestamp>1258031280000</datestamp>
	<modclass>Flamebait</modclass>
	<modscore>1</modscore>
	<htmltext><p>
Example from the article:</p><blockquote><div><p>"All they need to do is create a malicious Flash object, and upload it to the [Web] server."
</p><p>
He used the example of a company that lets users upload content to a message forum to explain the process. "If the user forum lets people upload an image for their avatar, someone could upload a malicious Flash file that looks like an avatar image," Bailey said. "Anyone who then views that avatar would be vulnerable to attack."</p></div>
</blockquote><p>
Since when are you going to allow someone to upload an swf for an avatar.  It's going to get creamed when you resize it via php anyway.
</p><p>
This is the same "vulnerability" you'd have by allowing people to upload php code, or perl code, or javascript, to your server and you sending it out without doing ANY validation.
</p><p>
In other words, it's not a vulnerability, it's a symptom of totally bonehead design and someone looking for page hits.
</p><p>
What next - "All Windows Versions of Apache Vulnerable To<nobr> <wbr></nobr>.EXE Exploit" - where they'll say that if you allow people to upload<nobr> <wbr></nobr>.exe files to your site and blindly execute them, BAD THINGS (TM) will happen?
</p><p>
This belongs in idle.slashdot.org - it's not news, it's so bad it's not even wrong.</p></div>
	</htmltext>
<tokenext>Example from the article : " All they need to do is create a malicious Flash object , and upload it to the [ Web ] server .
" He used the example of a company that lets users upload content to a message forum to explain the process .
" If the user forum lets people upload an image for their avatar , someone could upload a malicious Flash file that looks like an avatar image , " Bailey said .
" Anyone who then views that avatar would be vulnerable to attack .
" Since when are you going to allow someone to upload an swf for an avatar .
It 's going to get creamed when you resize it via php anyway .
This is the same " vulnerability " you 'd have by allowing people to upload php code , or perl code , or javascript , to your server and you sending it out without doing ANY validation .
In other words , it 's not a vulnerability , it 's a symptom of totally bonehead design and someone looking for page hits .
What next - " All Windows Versions of Apache Vulnerable To .EXE Exploit " - where they 'll say that if you allow people to upload .exe files to your site and blindly execute them , BAD THINGS ( TM ) will happen ?
This belongs in idle.slashdot.org - it 's not news , it 's so bad it 's not even wrong .</tokentext>
<sentencetext>
Example from the article:"All they need to do is create a malicious Flash object, and upload it to the [Web] server.
"

He used the example of a company that lets users upload content to a message forum to explain the process.
"If the user forum lets people upload an image for their avatar, someone could upload a malicious Flash file that looks like an avatar image," Bailey said.
"Anyone who then views that avatar would be vulnerable to attack.
"

Since when are you going to allow someone to upload an swf for an avatar.
It's going to get creamed when you resize it via php anyway.
This is the same "vulnerability" you'd have by allowing people to upload php code, or perl code, or javascript, to your server and you sending it out without doing ANY validation.
In other words, it's not a vulnerability, it's a symptom of totally bonehead design and someone looking for page hits.
What next - "All Windows Versions of Apache Vulnerable To .EXE Exploit" - where they'll say that if you allow people to upload .exe files to your site and blindly execute them, BAD THINGS (TM) will happen?
This belongs in idle.slashdot.org - it's not news, it's so bad it's not even wrong.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082586</id>
	<title>Re:Client or server?</title>
	<author>Lobster Quadrille</author>
	<datestamp>1258038660000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>If I allow you to upload a flash object to my site, I should sanitise it before I allow my server to give it to anyone.</p></div><p>And if you allow me to upload a zip file to your site, will you strip out the swf file that's prepended to it? This is key: It's still a perfectly-formatted zip file.</p><p>You may start checking for prepended swf files now, but you sure as hell weren't yesterday.</p><p>How exactly is this FUD?</p></div>
	</htmltext>
<tokenext>If I allow you to upload a flash object to my site , I should sanitise it before I allow my server to give it to anyone.And if you allow me to upload a zip file to your site , will you strip out the swf file that 's prepended to it ?
This is key : It 's still a perfectly-formatted zip file.You may start checking for prepended swf files now , but you sure as hell were n't yesterday.How exactly is this FUD ?</tokentext>
<sentencetext>If I allow you to upload a flash object to my site, I should sanitise it before I allow my server to give it to anyone.And if you allow me to upload a zip file to your site, will you strip out the swf file that's prepended to it?
This is key: It's still a perfectly-formatted zip file.You may start checking for prepended swf files now, but you sure as hell weren't yesterday.How exactly is this FUD?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081926</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084350</id>
	<title>Re:The vulnerability</title>
	<author>RAMMS+EIN</author>
	<datestamp>1258144860000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Seems to me there \_is\_ an easy fix: disable that behavior by default (why would you want it, anyway?). Then, for sites that are broken by it, allow it to be selectively enabled.</p><p>Of course, the fact that Adobe isn't fixing it and we aren't allowed to fix it nicely illustrates why having the whole world depend on a piece of proprietary software is a bad idea at least from a security point of view.</p></htmltext>
<tokenext>Seems to me there \ _is \ _ an easy fix : disable that behavior by default ( why would you want it , anyway ? ) .
Then , for sites that are broken by it , allow it to be selectively enabled.Of course , the fact that Adobe is n't fixing it and we are n't allowed to fix it nicely illustrates why having the whole world depend on a piece of proprietary software is a bad idea at least from a security point of view .</tokentext>
<sentencetext>Seems to me there \_is\_ an easy fix: disable that behavior by default (why would you want it, anyway?).
Then, for sites that are broken by it, allow it to be selectively enabled.Of course, the fact that Adobe isn't fixing it and we aren't allowed to fix it nicely illustrates why having the whole world depend on a piece of proprietary software is a bad idea at least from a security point of view.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081666</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082716</id>
	<title>Re:NEWS FLASH: Web sites need to screen uploads</title>
	<author>pizzap</author>
	<datestamp>1258039980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>This is ridiculous. If a web site lets you upload a JavaScript file and then serves it back to you as part of a request, it would be crazy. All that has happened here is that people have worked out that doing the same thing with a Flash file is equally bad.</p></div><p>1. You upload the javascript after the binary of a gif file and it gets executed anyways?<br>2. You create a special link to do that on your attackers page and the javascript executes within the targeted sites domain of origin?</p><p>No, javascript doesn't do either, but Flash/Actionscript does:</p><p><div class="quote"><p>A Flash object can only access content from the domain it originated from. [...] A flash object does not need to be injected into a web page to execute- simply loading the content is enough. [...] If I can get a Flash object onto your server, I can execute scripts in the context of your domain</p></div></div>
	</htmltext>
<tokenext>This is ridiculous .
If a web site lets you upload a JavaScript file and then serves it back to you as part of a request , it would be crazy .
All that has happened here is that people have worked out that doing the same thing with a Flash file is equally bad.1 .
You upload the javascript after the binary of a gif file and it gets executed anyways ? 2 .
You create a special link to do that on your attackers page and the javascript executes within the targeted sites domain of origin ? No , javascript does n't do either , but Flash/Actionscript does : A Flash object can only access content from the domain it originated from .
[ ... ] A flash object does not need to be injected into a web page to execute- simply loading the content is enough .
[ ... ] If I can get a Flash object onto your server , I can execute scripts in the context of your domain</tokentext>
<sentencetext>This is ridiculous.
If a web site lets you upload a JavaScript file and then serves it back to you as part of a request, it would be crazy.
All that has happened here is that people have worked out that doing the same thing with a Flash file is equally bad.1.
You upload the javascript after the binary of a gif file and it gets executed anyways?2.
You create a special link to do that on your attackers page and the javascript executes within the targeted sites domain of origin?No, javascript doesn't do either, but Flash/Actionscript does:A Flash object can only access content from the domain it originated from.
[...] A flash object does not need to be injected into a web page to execute- simply loading the content is enough.
[...] If I can get a Flash object onto your server, I can execute scripts in the context of your domain
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081630</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084788</id>
	<title>Re:The vulnerability</title>
	<author>ArsenneLupin</author>
	<datestamp>1258109100000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>even if simply displays user submitted data like *comments*, a malicious user may upload content that contains a policy XML snippet</p></div><p>Unless the comments are served as <tt>text/plain</tt> and included in an iframe (unlikelyly complex...), any xml tag included would be html escaped, and thus rendered ineffective. <tt>&lt;policy&gt; </tt> would become <tt>&amp;lt;policy&amp;gt;</tt> and lose any special power it had.</p><p>
If on the other hand, comments were <em>not</em> html-escaped, while still being served as <tt>text/html</tt>, the web site would have bigger issues than this flash vulnerability, as anybody could just include javascript instead.</p><p><div class="quote"><p>(the resulting file doesn't have to start with the snippet as well due to some specific of how the content is parsed)</p></div><p>Hmm, if a prefix to the XML snippet was ignored, and the suffix too, then image uploads might become vulnerable (most sites don't re-encode uploaded images, and probably none scan the binaries for byte-sequences that happen to look like valid xml...).</p></div>
	</htmltext>
<tokenext>even if simply displays user submitted data like * comments * , a malicious user may upload content that contains a policy XML snippetUnless the comments are served as text/plain and included in an iframe ( unlikelyly complex... ) , any xml tag included would be html escaped , and thus rendered ineffective .
would become &lt; policy &gt; and lose any special power it had .
If on the other hand , comments were not html-escaped , while still being served as text/html , the web site would have bigger issues than this flash vulnerability , as anybody could just include javascript instead .
( the resulting file does n't have to start with the snippet as well due to some specific of how the content is parsed ) Hmm , if a prefix to the XML snippet was ignored , and the suffix too , then image uploads might become vulnerable ( most sites do n't re-encode uploaded images , and probably none scan the binaries for byte-sequences that happen to look like valid xml... ) .</tokentext>
<sentencetext>even if simply displays user submitted data like *comments*, a malicious user may upload content that contains a policy XML snippetUnless the comments are served as text/plain and included in an iframe (unlikelyly complex...), any xml tag included would be html escaped, and thus rendered ineffective.
would become &lt;policy&gt; and lose any special power it had.
If on the other hand, comments were not html-escaped, while still being served as text/html, the web site would have bigger issues than this flash vulnerability, as anybody could just include javascript instead.
(the resulting file doesn't have to start with the snippet as well due to some specific of how the content is parsed)Hmm, if a prefix to the XML snippet was ignored, and the suffix too, then image uploads might become vulnerable (most sites don't re-encode uploaded images, and probably none scan the binaries for byte-sequences that happen to look like valid xml...).
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081666</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081826</id>
	<title>Re:Client or server?</title>
	<author>Anonymous</author>
	<datestamp>1258032600000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>So, user uploads a file - say, a picture for a forum avatar.  Your image validation misses that malicious\_flash.jpg is really a SWF file, and now you're executing flash all over the place "in the context of your domain."  Which I guess means any SWF file I manage to upload anywhere can eat the hosting webserver.</p></div><p>Also, from the article:</p><p><div class="quote"><p>To be sure, any server that allows unvalidated uploads of contents will let an attacker upload html pages with cross-site scripting or other attacks, but SWF files do not require a<nobr> <wbr></nobr>.swf extension or special content-type headers to execute.</p></div><p>This is what I don't get: I understand that if a JPG is also a SWF (as per GIFAR and other manglements), it'll fool the browser into loading the content as flash.</p><p>Simply chucking a SWF on a server, renaming it to foobar.jpg, and visiting it at <a href="http://example/foobar.jpg" title="example" rel="nofollow">http://example/foobar.jpg</a> [example] doesn't load it as flash. Unless I'm really missing something here, I don't see how you can get the JPG to run as flash without also mucking around with content-type headers.</p><p>Can someone enlighten me, please?<nobr> <wbr></nobr>:-)</p></div>
	</htmltext>
<tokenext>So , user uploads a file - say , a picture for a forum avatar .
Your image validation misses that malicious \ _flash.jpg is really a SWF file , and now you 're executing flash all over the place " in the context of your domain .
" Which I guess means any SWF file I manage to upload anywhere can eat the hosting webserver.Also , from the article : To be sure , any server that allows unvalidated uploads of contents will let an attacker upload html pages with cross-site scripting or other attacks , but SWF files do not require a .swf extension or special content-type headers to execute.This is what I do n't get : I understand that if a JPG is also a SWF ( as per GIFAR and other manglements ) , it 'll fool the browser into loading the content as flash.Simply chucking a SWF on a server , renaming it to foobar.jpg , and visiting it at http : //example/foobar.jpg [ example ] does n't load it as flash .
Unless I 'm really missing something here , I do n't see how you can get the JPG to run as flash without also mucking around with content-type headers.Can someone enlighten me , please ?
: - )</tokentext>
<sentencetext>So, user uploads a file - say, a picture for a forum avatar.
Your image validation misses that malicious\_flash.jpg is really a SWF file, and now you're executing flash all over the place "in the context of your domain.
"  Which I guess means any SWF file I manage to upload anywhere can eat the hosting webserver.Also, from the article:To be sure, any server that allows unvalidated uploads of contents will let an attacker upload html pages with cross-site scripting or other attacks, but SWF files do not require a .swf extension or special content-type headers to execute.This is what I don't get: I understand that if a JPG is also a SWF (as per GIFAR and other manglements), it'll fool the browser into loading the content as flash.Simply chucking a SWF on a server, renaming it to foobar.jpg, and visiting it at http://example/foobar.jpg [example] doesn't load it as flash.
Unless I'm really missing something here, I don't see how you can get the JPG to run as flash without also mucking around with content-type headers.Can someone enlighten me, please?
:-)
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081594</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081500</id>
	<title>Broken security model</title>
	<author>Inf0phreak</author>
	<datestamp>1258030680000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext>&lt;profanity&gt;<br>
Adobe's answer is just the greatest kind of cop out. "Websites just need to make sure to check all uploaded material". But that's obviously never going to happen -- fuck they can't even do that <em>themselves</em>! End users can't rely on every single website out there to be vigilant at all times and never accept an upload of a flash file.
<p>
If this is really unfixable in the flash plugin, then maybe it's because your security model is fucking broken and it's time to throw this piece of shit away?
<br>
&lt;/profanity&gt;</p></htmltext>
<tokenext>Adobe 's answer is just the greatest kind of cop out .
" Websites just need to make sure to check all uploaded material " .
But that 's obviously never going to happen -- fuck they ca n't even do that themselves !
End users ca n't rely on every single website out there to be vigilant at all times and never accept an upload of a flash file .
If this is really unfixable in the flash plugin , then maybe it 's because your security model is fucking broken and it 's time to throw this piece of shit away ?</tokentext>
<sentencetext>
Adobe's answer is just the greatest kind of cop out.
"Websites just need to make sure to check all uploaded material".
But that's obviously never going to happen -- fuck they can't even do that themselves!
End users can't rely on every single website out there to be vigilant at all times and never accept an upload of a flash file.
If this is really unfixable in the flash plugin, then maybe it's because your security model is fucking broken and it's time to throw this piece of shit away?

</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083550</id>
	<title>Patents</title>
	<author>AlpineR</author>
	<datestamp>1258047720000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base.</p></div></blockquote><p>I'm curious why you used that bit of patent text for your signature. I know that many Slashdotters ridicule patents for claiming the invention of common things. But that's not what that sentence is doing in that patent. It's just defining what a "cup" is for purposes of the patent. That's a wise thing to do since a "cup" could also mean a jockstrap, part of a bra, or the hole in a putting green. The invention includes a certain kind of insulated holder for drinking cups, and with that sentence makes clear that it doesn't apply to the other cups.</p></div>
	</htmltext>
<tokenext>The cup is in turn designed for holding hot or cold liquids , and has an open rim and closed base.I 'm curious why you used that bit of patent text for your signature .
I know that many Slashdotters ridicule patents for claiming the invention of common things .
But that 's not what that sentence is doing in that patent .
It 's just defining what a " cup " is for purposes of the patent .
That 's a wise thing to do since a " cup " could also mean a jockstrap , part of a bra , or the hole in a putting green .
The invention includes a certain kind of insulated holder for drinking cups , and with that sentence makes clear that it does n't apply to the other cups .</tokentext>
<sentencetext>The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base.I'm curious why you used that bit of patent text for your signature.
I know that many Slashdotters ridicule patents for claiming the invention of common things.
But that's not what that sentence is doing in that patent.
It's just defining what a "cup" is for purposes of the patent.
That's a wise thing to do since a "cup" could also mean a jockstrap, part of a bra, or the hole in a putting green.
The invention includes a certain kind of insulated holder for drinking cups, and with that sentence makes clear that it doesn't apply to the other cups.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082084</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082082</id>
	<title>Bad Adobe!</title>
	<author>onyxruby</author>
	<datestamp>1258034280000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext>This is the same kind of logic Microsoft used with security in the 9.x kernel. Putting the impetus on third parties to behave and not take advantage of this is nuts! Are they not the least bit familiar with malware or anything else of the like? Bad Adobe, bad!</htmltext>
<tokenext>This is the same kind of logic Microsoft used with security in the 9.x kernel .
Putting the impetus on third parties to behave and not take advantage of this is nuts !
Are they not the least bit familiar with malware or anything else of the like ?
Bad Adobe , bad !</tokentext>
<sentencetext>This is the same kind of logic Microsoft used with security in the 9.x kernel.
Putting the impetus on third parties to behave and not take advantage of this is nuts!
Are they not the least bit familiar with malware or anything else of the like?
Bad Adobe, bad!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083328</id>
	<title>Re:Uploading a swf with a jpg extension?</title>
	<author>ChrisMaple</author>
	<datestamp>1258045020000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Some viewers ignore extensions and determine image type by the 4CC: The first 4 bytes of a file, which in many cases identify the actual file type.</htmltext>
<tokenext>Some viewers ignore extensions and determine image type by the 4CC : The first 4 bytes of a file , which in many cases identify the actual file type .</tokentext>
<sentencetext>Some viewers ignore extensions and determine image type by the 4CC: The first 4 bytes of a file, which in many cases identify the actual file type.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081958</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30087044</id>
	<title>Re:The vulnerability</title>
	<author>spinkham</author>
	<datestamp>1258129140000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Adobe does have a fix for this behavoir, and it's Flash Meta Policies.<br><a href="http://www.adobe.com/devnet/flashplayer/articles/fplayer9\_security\_03.html" title="adobe.com">http://www.adobe.com/devnet/flashplayer/articles/fplayer9\_security\_03.html</a> [adobe.com]</p><p>Of course, they're only available to flash 9 and 10, but the people running Flash 8 still have worse security problems to worry about.</p></htmltext>
<tokenext>Adobe does have a fix for this behavoir , and it 's Flash Meta Policies.http : //www.adobe.com/devnet/flashplayer/articles/fplayer9 \ _security \ _03.html [ adobe.com ] Of course , they 're only available to flash 9 and 10 , but the people running Flash 8 still have worse security problems to worry about .</tokentext>
<sentencetext>Adobe does have a fix for this behavoir, and it's Flash Meta Policies.http://www.adobe.com/devnet/flashplayer/articles/fplayer9\_security\_03.html [adobe.com]Of course, they're only available to flash 9 and 10, but the people running Flash 8 still have worse security problems to worry about.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081666</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081550</id>
	<title>also risk of d/l .bat / .pl ! ban mimetypes now!</title>
	<author>Anonymous</author>
	<datestamp>1258030920000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>n/t</p></htmltext>
<tokenext>n/t</tokentext>
<sentencetext>n/t</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084910</id>
	<title>Re:Flash security has always frightened me</title>
	<author>ArsenneLupin</author>
	<datestamp>1258111080000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Where they are exactly depends on your browser and OS, but they're still just regular files.</p></div><p>You still need to know the file name. And it doesn't seem to be anything obvious stored under<nobr> <wbr></nobr><tt>.mozilla</tt> and containing <tt>flash</tt> in its name...</p></div>
	</htmltext>
<tokenext>Where they are exactly depends on your browser and OS , but they 're still just regular files.You still need to know the file name .
And it does n't seem to be anything obvious stored under .mozilla and containing flash in its name.. .</tokentext>
<sentencetext>Where they are exactly depends on your browser and OS, but they're still just regular files.You still need to know the file name.
And it doesn't seem to be anything obvious stored under .mozilla and containing flash in its name...
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083512</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081888</id>
	<title>It's times like this...</title>
	<author>KillShill</author>
	<datestamp>1258033080000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>I'm glad that 64-bit Firefox doesn't have a flash plugin.</p></htmltext>
<tokenext>I 'm glad that 64-bit Firefox does n't have a flash plugin .</tokentext>
<sentencetext>I'm glad that 64-bit Firefox doesn't have a flash plugin.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081472</id>
	<title>Re:Client or server?</title>
	<author>jpmorgan</author>
	<datestamp>1258030560000</datestamp>
	<modclass>Funny</modclass>
	<modscore>3</modscore>
	<htmltext>I know it's a lot to ask, but you could just RTFA. I guess I'll be the enabler today...
<br>
<br>Apparently it's a server-side vulnerability, but this puts users at risk since hijacking trusted websites makes it much easier to socially engineer malware onto people's computers. I.e., if gmail were to be compromised, and you login to gmail and there's a link to download some special gmail-improving program, a lot of people will download and install it, even though it was placed there by a hacker and not Google themselves.</htmltext>
<tokenext>I know it 's a lot to ask , but you could just RTFA .
I guess I 'll be the enabler today.. . Apparently it 's a server-side vulnerability , but this puts users at risk since hijacking trusted websites makes it much easier to socially engineer malware onto people 's computers .
I.e. , if gmail were to be compromised , and you login to gmail and there 's a link to download some special gmail-improving program , a lot of people will download and install it , even though it was placed there by a hacker and not Google themselves .</tokentext>
<sentencetext>I know it's a lot to ask, but you could just RTFA.
I guess I'll be the enabler today...

Apparently it's a server-side vulnerability, but this puts users at risk since hijacking trusted websites makes it much easier to socially engineer malware onto people's computers.
I.e., if gmail were to be compromised, and you login to gmail and there's a link to download some special gmail-improving program, a lot of people will download and install it, even though it was placed there by a hacker and not Google themselves.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418</parent>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081360
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081696
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081630
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082716
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_46</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083186
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_40</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081622
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081812
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_39</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081500
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082198
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081360
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085868
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_43</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081666
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084788
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_29</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081666
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084350
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_20</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081500
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082162
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30088794
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081622
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081804
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30089038
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_34</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081704
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083376
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081500
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084864
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081542
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_49</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081630
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081788
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_52</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083512
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084910
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_26</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081626
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085748
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081630
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081786
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_33</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081622
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083262
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081926
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085774
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_32</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081666
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30088888
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_23</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081958
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083328
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_51</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081622
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081740
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_47</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084370
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081594
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081826
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_50</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081630
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083794
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30093280
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_41</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081704
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082546
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_24</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081910
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085898
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30091706
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081500
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082964
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083316
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085282
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_38</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082334
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_31</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081888
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082802
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081622
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081804
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082820
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_21</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081958
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082084
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30091018
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_44</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083512
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30092390
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081958
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082084
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082960
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081500
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081892
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_37</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083294
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085400
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081500
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083024
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_36</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081360
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30087204
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_27</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082640
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081472
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_42</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085164
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_28</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081958
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30087832
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081500
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082094
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_35</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081360
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082288
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081926
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082586
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081958
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082084
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083550
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_25</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081500
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082964
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083316
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084738
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_48</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085130
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_30</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083294
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30091758
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081666
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30087044
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30094466
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_45</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081594
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082796
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_12_2337236_22</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081622
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082642
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083294
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30091758
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085400
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081918
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083570
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081540
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082076
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084060
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082144
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083512
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30092390
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084910
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082640
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30094466
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083186
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082334
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084370
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085130
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085164
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081500
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084864
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082162
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30088794
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081892
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083024
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082198
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082094
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082964
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083316
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084738
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085282
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081534
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081666
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30088888
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30087044
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084788
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30084350
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081704
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083376
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082546
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081910
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085898
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30091706
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081888
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082802
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082662
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081958
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082084
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30091018
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082960
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083550
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083328
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30087832
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081630
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082716
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083794
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30093280
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081786
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081788
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081856
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081360
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30087204
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081696
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085868
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082288
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082308
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_12_2337236.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081418
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081926
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082586
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085774
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081542
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081594
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081826
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082796
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081472
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081622
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083262
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081804
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082820
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30083380
----http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30089038
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30082642
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081740
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081812
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30081626
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_12_2337236.30085748
</commentlist>
</conversation>
