October 12, 2012 · Bug Bounty Adobe XSS Open Redirect

Adobe Website XSS and Open Redirect Vulnerabilities

Adobe Partners Website XSS

Vulnerable Website: http://partners.adobe.com

Cross-site scripting vulnerabilities were discovered on the above mentioned website, which when exploited by a cyber criminal could lead to cookie stealing or client side exploits which may take full control of a victim's computer .

Now one thing I'd like to add here, Adobe's PSIRT was very dull while handling my issue. They took weeks to reply to my emails.Later on I found that this is not a new thing, Adobe has handled security issues poorly in earlier times.

UPDATE: Janne Ahlberg also twitted about poor handling of security issues by Adobe, after this article was published.

Vulnerability Timeline

Adobe Feeds Website Open Redirect

Vulnerable Website: http://feeds.adobe.com

An open-redirect issue was detected on the above website. The webpage takes a parameter 'nextPage' and redirects to it but while redirecting the page doesn't check whether the value in 'nextPage' parameter is white-listed or not, so ends up in an open redirect issue.

POC:

http://feeds.adobe.com/controller.cfm?nextPage=http://www.google.com&handler=PostHandler&action=click&postId=1

The above link will silently redirect to http://www.google.com

Although this type of vulnerability is not considered critical but it can 'hurt' an unsuspecting user when used in an attack like phishing or specifically spear-phishing where the user might be fooled to believe that the link belongs to Adobe Inc.

Video Demo:

Vulnerability Timeline

24th September 2012 - Vulnerability discovered and reported to Adobe PSIRT (psirt-at-adobe.com)
13th October 2012 - No response from vendor, public disclosure

So, this incident marks another big company failed to properly handle security issues.