Adobe Website XSS and Open Redirect Vulnerabilities

Adobe Website XSS and Open Redirect Vulnerabilities
Photo by Emily Bernal / Unsplash
Adobe Partners Website XSS

Vulnerable Website: http://partners.adobe.com

Cross-site scripting vulnerabilities were discovered on the above mentioned website, which when exploited by a cyber criminal could lead to cookie stealing or client side exploits which may take full control of a victim's computer .

Now one thing I'd like to add here, Adobe's PSIRT was very dull while handling my issue. They took weeks to reply to my emails.Later on I found that this is not a new thing, Adobe has handled security issues poorly in earlier times.

UPDATE: Janne Ahlberg also twitted about poor handling of security issues by Adobe, after this article was published.

Vulnerability Timeline

  • 20th August 2012 - Vulnerability discovered and reported to Adobe PSIRT (psirt-at-adobe.com).
  • 24th August 2012 - Reply from Adobe PSIRT saying that they are investigating this issue
  • 24th August 2012 - I asked further queries I had
  • 3rd September 2012 - Sent another mail, because nobody responded to my last email
  • 14th September 2012- Reply from Adobe PSIRT saying that they are still researching this issue
  • 13th October 2012 - Issue fixed 'silently'.No notification regarding the fix from Adobe PSIRT
  • 13th October 2012 - Public Disclosure
Adobe Feeds Website Open Redirect

Vulnerable Website: http://feeds.adobe.com

An open-redirect issue was detected on the above website. The webpage takes a parameter 'nextPage' and redirects to it but while redirecting the page doesn't check whether the value in 'nextPage' parameter is white-listed or not, so ends up in an open redirect issue.

POC: http://feeds.adobe.com/controller.cfm?nextPage=http://www.google.com&handler=PostHandler&action=click&postId=1

The above link will silently redirect to http://www.google.com

Although this type of vulnerability is not considered critical but it can 'hurt' an unsuspecting user when used in an attack like phishing or specifically spear-phishing where the user might be fooled to believe that the link belongs to Adobe Inc.

Video Demo:

Vulnerability Timeline

  • 24th September 2012 - Vulnerability discovered and reported to Adobe PSIRT (psirt-at-adobe.com)
  • 13th October 2012 - No response from vendor, public disclosure

So, this incident marks another big company failed to properly handle security issues.