Eyes on security has released a warning about Cross-site scripting attacks made possible on sites that allow uploadable files – Bypassing JavaScript Filters – the Flash way
Basically, if you have a forum or pages where you allow users to upload files, the user will still be able to execute JavaScript through the SWF file, even if posting of JavaScript is disabled in the forum/on the pages. Allowing JavaScript execution allows malicious users to catch other users cookies from the domain the file is placed.
The solution? Not allowing SWF files to be uploaded and displayed by default.
[Via FlashGuru via ActionScript.com]