lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <549644.80650.qm@web121405.mail.ne1.yahoo.com>
Date: Sat, 18 Dec 2010 15:30:17 -0800 (PST)
From: Victor Rigo <victor_rigo@...oo.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: adobe.com important subdomain SQL injection
	again!

Let's see, flash is:

- Cross-platform
- Cross-architecture
- Has it's own programming language
- Is embedded on websites
- Access to javascript to popup, local caches, etc.

It's not ineptness, it's what you get when you right software that can actually do stuff.

If Java applets were still the hip thing, you'd see the same thing about that.

Victor Rigo, CISSP

Computer Security Consultant

+5411-4316-1900

Buenos Aires, Argentina

--- On Sat, 12/18/10, Jeffrey Walton <noloader@...il.com> wrote:

From: Jeffrey Walton <noloader@...il.com>
Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
To: "Maciej Gojny" <vuln@...ko-security.com>
Cc: full-disclosure@...ts.grok.org.uk
Date: Saturday, December 18, 2010, 5:53 PM

On Sat, Dec 18, 2010 at 11:58 AM, Maciej Gojny <vuln@...ko-security.com> wrote:
> hello full disclosure!
>
> After six months from the first contact with Adobe security team,  important
> adobe.com subdomain is still vulnerable to SQL injection attacks. We hope
> that this time, serious people will try to solve the problem.
There's a reason Adobe is the most attacked software [1,2], and its
probably because they write the most vulnerable software (or
adversaries are looking for a challenge, which seems less intuitive
and highly unlikely to me).

It appears "insecurity" is an enterprise wide practice, and not just
limited to their software.

Jeff

[1] "Adobe surpasses Microsoft as favorite hacker’s target" (Jul 2009)
http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/

[2] "Adobe predicted as top 2010 hacker target" (Dec 2009)
http://www.theregister.co.uk/2009/12/29/security_predictions_2010/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



      
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ