Adobe Website XSS and Open Redirect Vulnerabilities

October 12, 2012 Prakhar Prasad 2 minutes
    Adobe Partners Website XSS

    Vulnerable Website: http://partners.adobe.com

    Cross-site scripting vulnerabilities were discovered on the above mentioned website, which when exploited by a cyber criminal could lead to cookie stealing or client side exploits which may take full control of a victim’s computer .

    Now one thing I’d like to add here, Adobe’s PSIRT was very dull while handling my issue. They took weeks to reply to my emails.Later on I found that this is not a new thing, Adobe has handled security issues poorly in earlier times.

    UPDATE: Janne Ahlberg also twitted about poor handling of security issues by Adobe, after this article was published.

    Vulnerability Timeline

    • 20th August 2012 - Vulnerability discovered and reported to Adobe PSIRT (psirt-at-adobe.com).
    • 24th August 2012 - Reply from Adobe PSIRT saying that they are investigating this issue
    • 24th August 2012 - I asked further queries I had
    • 3rd September 2012 - Sent another mail, because nobody responded to my last email
    • 14th September 2012- Reply from Adobe PSIRT saying that they are still researching this issue
    • 13th October 2012 - Issue fixed ‘silently’.No notification regarding the fix from Adobe PSIRT
    • 13th October 2012 - Public Disclosure
    Adobe Feeds Website Open Redirect

    Vulnerable Website: http://feeds.adobe.com

    An open-redirect issue was detected on the above website. The webpage takes a parameter ‘nextPage’ and redirects to it but while redirecting the page doesn’t check whether the value in ‘nextPage’ parameter is white-listed or not, so ends up in an open redirect issue.

    POC: http://feeds.adobe.com/controller.cfm?nextPage=http://www.google.com&handler=PostHandler&action=click&postId=1

    The above link will silently redirect to http://www.google.com

    Although this type of vulnerability is not considered critical but it can ‘hurt’ an unsuspecting user when used in an attack like phishing or specifically spear-phishing where the user might be fooled to believe that the link belongs to Adobe Inc.

    Video Demo:

    Vulnerability Timeline

    • 24th September 2012 - Vulnerability discovered and reported to Adobe PSIRT (psirt-at-adobe.com)
    • 13th October 2012 - No response from vendor, public disclosure

    So, this incident marks another big company failed to properly handle security issues.