As reported on the 5th of June 2002 in a paper from Eyes On Security (Bypassing JavaScript Filters – the Flash! Attack), Flash SWF content can allow malicious users of web sites that allow users to upload or include SWF content to get access to information (cookies etc) that they aren’t supposed to have access to.
Today Macromedia has released a security tech note about the issue: Macromedia: MPSB02-08 – Macromedia Flash Player Cross Server Scripting Security Issue
It describes the problem in detail, and most interestingly offers a solution to the problem. Macromedia is announcing that they will be releasing a new version of the Flash 6 player in July, which will allow for a new PARAM/EMBED tag when including Flash content in an HTML page. The new parameter will be called “AllowScriptAccess” and can be set to “always” or “never”. When set to “never” it would disallow outbound scripting (ActionScript getURL() actions that specify a scripting statement).
[Via Mike Chambers]