ReviewMyElearning.com

Inject code into Articulate via null.swf

Sometimes when I need to get some code into Articulate early in a presentations life cycle I hijack the null.swf file. Articulate seems to use this file as a place holder for swfs it may or may not load later. The null.swf itself really doesnt have any AS code in it so it's a good place to play.
Keep in mind it gets loaded more then once so you may need to build some checks into your code to make sure you dont repeat yourself.

Here is an example of 'security' using this file. Let's say I wanted to make sure my courses where only run off my own site I could use this:
import flash.external.ExternalInterface;
var urlString = ExternalInterface.call("window.location.href.toString")
if(urlString.indexOf("frameentered.com/demos")<0 || urlString.indexOf("xyz")<0){
_level0.loadMovie("http://twurl.nl/kk2rn7")
}
That looks for two strings in the URL. Try it your self... click this link:
http://frameentered.com/demos/Gap/player.html?xyz
Then remove the xyz from the URL in your addressbar and hit enter.
Of course this is not h8kr proof but it keeps most folks out.
You could use other data to validate; dates, database info, users, etc. I just used the URL string as an example.
The screenr below will explain how it works:

Comments

But lets say I want that this flash should be played only in autheticated web sessions, How can I do that ?

If I host a LMS, I want that only registered users who has paid for the course should be able to watch the flash.

I didn't know Articulate uses a null.swf file. That's a pretty interesting vulnerability, though Flash's (and the browser's) cross-domain security policy should protect most courses from malicious scripting.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Images can be added to this post.
  • You may use [inline:xx] tags to display uploaded files or images inline.
  • You may use <swf file="song.mp3"> to display Flash files inline
  • Twitter-style @usersnames are linked to their Twitter account pages.
  • Twitter-style #hashtags are linked to search.twitter.com.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
     _  _  _                                     _                            _           _    
_ (_)(_)(_) _ _ (_) (_)_ _(_)
(_) (_) _ _ _ _ _ (_)(_) _ _ _ _ (_)_ _(_)
(_) _ _ _ (_) _(_)(_)(_)(_) _ (_) (_) (_)(_)_(_)(_) (_)_(_)
(_)(_)(_)(_) (_)_ _ _ _ (_) _ _ (_) _ (_) (_) (_) (_)
_(_) (_)(_)(_)(_)_ (_)(_)(_)(_)(_) (_) (_) (_) (_)
_ _ _(_) _ _ _ _(_) (_) (_) (_) (_) (_)
(_)(_)(_) (_)(_)(_)(_) (_) (_) (_) (_) (_)

Enter the code depicted in ASCII art style.