comments (not for humans)
A lot of flash and flex applications use an XML-file for configuration. The XML-file sets up which texts and images to show. However if we don't pay attention, this flash application can be abused for phishing or spam, because the attacker can specify which file to use in the flash - a client-side RFI (Remote File Inclusion). Luckily this is not as dangerous as server-side RFI, but it's still something you want to avoid.
I wrote a post about an RFI attack some days ago. The post is available here. The RFI script attempted to open backdoors by decoding and compiling base64 encoded c-code. The code was also available in perl versions. The script also allowed arbitrary upload and download of files, database dumps and much much more.[...]