A simple file upload HTML form with client side validation (javascript and actionscript). The dynamic action attribute of the form tag is received from the swf file depending on the file that is being uploaded.
We can decompile it for academic purposes.
Disabling javascript we block the information exchange and then, add the right action target by editing the HTML form.
Anyhow, an attacker doesn't need any HTML form to upload a file. It can be done, for example, using a Perl script.
(This is the bottom line of client side validation).
Comentarios