

Crossdomain.xml Invites Cross-site Mayhem - bdfh42
http://jeremiahgrossman.blogspot.com/2008/05/crossdomainxml-invites-cross-site.html

======
xirium
From the comments: I came across the "crossdomain.xml" file months ago after I
noticed a massive number of requests for it on my own website from an IP I had
been serving with a 403 error. I subsequently set this file, which did not
exist anyhow, as one of the many that I automatically monitor in order to
detect obscure requests. I realized the potential for abuse, but didn't
realize how widespread the issue actually was, and never even thought of
considering the possible subdomains outlined in the file for accessibility.

This could very quickly become a serious issue if people just set a default
file, like robots.txt or favicon.ico and don't consider the consequences. 18%
of top companies could already be vulnerable. Have you had an account snarfed?
This is how it could have happened.

