I am not sure if I understood the use of crossdomain.xml . I am using Uploadify (2.1.4), a flash file downloader. I need to upload files from Domain A to Domain B Uploadify is hosted and hosted with Domain A To allow the Uploadify Flash plugin to communicate and load in Domain B , I have to place the crossdomain.xml file on Domain B Thus, if Uploaded finds the crossdomain.xml file on Domain B , which has Domain A in the white list, then the file will be downloaded to Domain B Everything sounds so far.
However, I donβt understand what prevents the attacker from creating a bootloader clone on the local website on his computer and subsequently modifying etc/hosts so that the local installation uses Domain A as the domain name. Now, an attacker can upload files to Domain B , pretending that he Domain A and Domain B will openly accept the download, since it has Domain A listed in the white list in crossdomain.xml .
What is the purpose of crossdomain.xml if it can be easily circumvented as above? I could be completely wrong in my understanding of this. It would be helpful to understand.
source share