Allowing users to upload SWFs -- security?
I'm involved in developing a media repository and the owners want people to be able to upload SWF files, and then allow public browsing of those SWF files via the web.
My concern is that people might be able to fill their SWFs full of code to (for example) access the server's file system, or hunt for passwords, or dump the memory of the server to the screen, or other malicious activity.
Has anyone got any advice as to where to start looking at the security implications, and/or how best to lock these SWFs down?
They'll be hosting on a Windows 2003 Server. I will already be insisting that the SWFs served to the browser will be served through some kind of 'wrapper' SWF of my construction, but will that make any difference? Could you code an SWF that can punch its way out of the wrapper and get loose on the server?
Many thanks in advance for any advice! :-)