0

There are three settings in mms.cfg that I want to disable. It will disable file download and upload for Adobe Flash, but does it have any deeper issues?

LocalFileReadDisable = 1
FileDownloadDisable = 1
FileUploadDisable = 1

File uploads and downloads does not seem to be a problem since we can whitelist domains by setting this:

FileDownloadEnabledDomain = domain name or IP address

But what about disabling local file read? For security reasons I want to disable it, but I am afraid that it will break things.

Anders
  • 64,406
  • 24
  • 178
  • 215
ankit dangi
  • 29
  • 3
  • What do you mean with "does it have deeper issues"? Do you want to know if it will break functionality? Or do you want to know if it will protect you against some exploit? Not sure I understand what you are asking. – Anders Dec 28 '16 at 15:32
  • Just to be clear, are you after the security implications? – Arminius Dec 28 '16 at 15:32
  • I want to understand the impact of disabling this. From security recommendations it should be done right ? but if I do what will break ? – ankit dangi Dec 28 '16 at 15:42

1 Answers1

0

It breaks most SWFs. The issue is with LoadVars.Load(). This functions was widely used in Flash files. You need to check with your vendors on this.

From the Adobe Support:

Downloads variables from the specified URL, parses the variable data, and places the resulting variables into the LoadVars object that calls the method. You can load variables from a remote URL or from a URL in the local file system; the same encoding standards apply to both.

Also see this reference.

Anders
  • 64,406
  • 24
  • 178
  • 215
amarnath chatterjee
  • 175
  • 1
  • 4