/vulndb/Open Cross Domain Policy

A Cross Domain Policy File is used to enforce the same origin policy in modern web applications (especially Flash and Silverlight based) by preventing some types of content from being accessed or modified from another domain via the client (a browser or a plugin). An open cross-domain is the vulnerability, which occur when the policy file explicitly allows every external domain.

An attacker may build his own application capable of interact in the same sandboxed environment as the target application. This provides attackers with unrestricted access to session information and other sensitive data.

Solution

Explicitly declare allowed domains in the cross-domain policy file.

References

http://en.wikipedia.org/wiki/Cross-domain_solution http://en.wikipedia.org/wiki/Same_origin_policy http://kb2.adobe.com/cps/142/tn_14213.html http://msdn.microsoft.com/en-us/library/cc197955(v=vs.95).aspx