Adobe Website XSS and Open Redirect Vulnerabilities
Adobe Partners Website XSS
Vulnerable Website: http://partners.adobe.com
Cross-site scripting vulnerabilities were discovered on the above mentioned website, which when exploited by a cyber criminal could lead to cookie stealing or client side exploits which may take full control of a victim's computer .
Now one thing I'd like to add here, Adobe's PSIRT was very dull while handling my issue. They took weeks to reply to my emails.Later on I found that this is not a new thing, Adobe has handled security issues poorly in earlier times.
UPDATE: Janne Ahlberg also twitted about poor handling of security issues by Adobe, after this article was published.
- 20th August 2012 - Vulnerability discovered and reported to Adobe PSIRT (psirt-at-adobe.com).
- 24th August 2012 - Reply from Adobe PSIRT saying that they are investigating this issue
- 24th August 2012 - I asked further queries I had
- 3rd September 2012 - Sent another mail, because nobody responded to my last email
- 14th September 2012- Reply from Adobe PSIRT saying that they are still researching this issue
- 13th October 2012 - Issue fixed ‘silently’.No notification regarding the fix from Adobe PSIRT
- 13th October 2012 - Public Disclosure
Adobe Feeds Website Open Redirect
Vulnerable Website: http://feeds.adobe.com
An open-redirect issue was detected on the above website. The webpage takes a parameter ‘nextPage’ and redirects to it but while redirecting the page doesn't check whether the value in ‘nextPage’ parameter is white-listed or not, so ends up in an open redirect issue.
The above link will silently redirect to http://www.google.com
Although this type of vulnerability is not considered critical but it can ‘hurt’ an unsuspecting user when used in an attack like phishing or specifically spear-phishing where the user might be fooled to believe that the link belongs to Adobe Inc.
- 24th September 2012 - Vulnerability discovered and reported to Adobe PSIRT (psirt-at-adobe.com)
- 13th October 2012 - No response from vendor, public disclosure
So, this incident marks another big company failed to properly handle security issues.