Unrestricted crossdomain.xml and clientaccesspolicy.xml files can be abused by an attacker. The attacker can setup a rouge RIA app - a malaRIA - on a site, and if he can trick the user to visit the site, the malicious RIA can perform actions on behalf of the user (CSRF). Because the RIA runs in the user's browser, the requests will reuse the user's authentication cookies. Because the RIA is able to both read and request data, normal CSRF protection does not work (nonces/tokens can be read).
Such a RIA can at the same time transfer data back and forth to the server from which it came through a socket. This can allow the attacker to send commands to the RIA, which will then perform these actions.
The MalaRIA proxy consists of a silverlight or flex RIA application running in the browser and a java backend. The attack works like this:
Here is a video showing the components in action:
Update 2010-04-12: Adam tipped me about the post "Penetrating Intranets through Adobe Flex Applications" on how to exploit insecure proxy-config.xml through BlazeDS to attack the intranet. The authors have built a tool called Blazentoo to exploit such configs.
The current PoC does not support images and documents due to encoding issues. It should be possible to fix this, and thus this could potentially be used to also steal documentation.
Update 2010-04-14: Images and documents now supported.