According to this article at Hardened PHP site, well-placed image upload will let any flash movie cross-domain access to the image URL's subpath.
Flash cross-domain policy file can be anywhere and, because Flash plugin doesn't check the file format throughly enough, even hidden inside an image masquerading as a valid cross-domain policy file. Once the image file is there, any movie can call loadPolicyFile with the image's URL to access resources without tripping cross-domain policy check.
Oy. Now we have to scrub images as well?