Okay, it’s be a tough day for new holes. This one affects nearly as many sites as the last IE hole, if you can believe that. Stefan Esser today released an issue with Flash where cross domain policy files can be embedded in almost anything. This isn’t the kind of thing you like to hear. Typically these sorts of things are dealt with by XML readers and not just looking for where the XML begins and ends. As a result this could be a pretty big deal.
Any website that lets you host images, or lets you do redirection (thanks to the Internet Exprlorer mhtml issue) or has a blacklist of HTML tags is now vulnerable to complete cross domain access via Flash. That’s really bad, folks. Although Stefan says that response splitting and XSS aren’t issues since you have XSS access, this isn’t completely true. I’ve seen a few situations where I could inject information but it wouldn’t render as HTML. Things set as text/plain are now vulnerable too. Like I said, this is not a small problem, and it will affect many many websites out there that are otherwise free from compromise.