E Hacking News [ EHN ] - The Best IT Security News | Hacker News

Subscribe to my RSS

EHN
Cyber Crime
Vulnerability
Malware
IT Security
Hacker News
Spam
Defacements
Database Leaked

Follow @EHackerNews

Showing posts with label Adobe Hacks. Show all posts

A Security Researcher Ankit Bharathan (aka lonely-hacker) has discovered a Non-persistent Cross site scripting vulnerability in Adobe website.

The vulnerability resides in one of the adobe sub domain "dbln-speedtest.adobe.com"

The POC for the vulnerability:

http://dbln-speedtest.adobe.com/index.php?lang="><SCRIPT>alert("E Hacking News")</SCRIPT>

The Researcher claim to have discovered a path disclosure vulnerability in the same link and have 90+ open directory in Adobe.

Ankit notified Adobe about the vulnerability but they failed to respond for his mail.

Vulnerabilities in Adobe

A Researcher has discovered Reflected Cross site scripting(XSS) vulnerability in the official website of Adobe Systems Incorporated and submitted the vulnerability to Secureless.

According to the researcher, the vulnerability has been reported few months ago but there is no response from Adobe.

The 'adobe.com/events/main.jsp?month=' found to be vulnerable to reflected or non-persistent XSS security flaw. Researcher managed to execute the javascript by injecting the script in the month parameter.

adobe xss vulnerability

The Poc and exploit details has been archived here:

http://secureless.org/vulnerability/2440/

The vulnerability allows a cyber criminal to launch phishing attack , session hijacking, redirecting to malicious sites and more. At the time of writing, The vulnerability is still there.

*Update 1* Today, we got response from Adobe Security Team that they are researching the bug and will fix it soon.

*Update 2 * (12 Dec) The vulnerability has been fixed.

Still Adobe didn't fix the XSS vulnerability in adobe groups profile. One more adobe group profile is created with xss Injection by Hacker Sony.

Check this:
http://bikaner.groups.adobe.com/index.cfm?event=post.display&postid=38442

One more Link:
http://bikaner.groups.adobe.com/index.cfm?event=post.display&postid=38443

source

A hacker known as Sony hacked Adobe Groups profile using the XSS(Cross Site Scripting) vulnerability. The XSS is persistent type, means "if you insert files, it will
be there permanently. It will be shown to all users". So hackers are able to steal cookies using that.

Vulnerability Information:

Vulnerability Type: XSS.
Persistent: Yes .
STATUS: Unfixed.
Hacked By: Hacker named as "Sony".
Defacement: Defaced the Profile Page, not main page.

Proof of Vulnerability:

Older Posts Home

Recent Posts
Comments

Become a Fan

Get Latest news at Your Email

Enter Your Email:

Subscribe to our RSS Feeds!

Follow Us on Twitter!

Add me in Google +

Funny Forward Mails
Debugging Questions in Java

COPYRIGHT 2012 by EHN. | Read our Privacy Policy