| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1301418291.7308.101.camel@tucbook>
Date: Tue, 29 Mar 2011 19:04:51 +0200
From: Stefano Di Paola <wisec@...ec.it>
To: Tom Keetch <twkeetch@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Adobe Omniture: Cookie-Forcing Issue
Hey Tom,
I don't know how you researched and find the issue.
Funny is that I found it some weeks ago as well with a
not-yet-released-tool-for-finding-DOMXss called "DOMInator", but I
decided to wait a bit to understand if it was exploitable and in which
conditions.
The only thing I can tell you is that on some site it is actually
exploitable from query string.
I know analyzing Js is such a pain in the ass, so I can understand the
situation. Nonetheless Adobe Psirt seems not to have really understood
the problem.
I sent an email to psirt some hours ago before reading your email.
Hopefully my email with a working poc and yours on F-D will force them
in fixing the vuln.
Keep up!
Stefano
--
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer
Owasp Italy R&D Director
CTO @ MindedSecurity.com
Web: www.wisec.it
Twitter: http://twitter.com/WisecWisec
Il giorno mar, 29/03/2011 alle 15.54 +0100, Tom Keetch ha scritto:
> Hi All,
>
> Adobe have yet to set a fix date for this cookie forcing issue I found
> in their Omniture product. If the affected "plug-in" is installed on a
> HTTPS protected site, then by setting a malicious cookie for the
> insecure domain, it is possible to hijack secure connections to the
> domain by injecting malicious JavaScript into the page via the cookie.
> This issue would be exploitable by a malicious WiFi access point.
>
> Chris Evans at Google explains this class of issue in far more detail here:
> http://scarybeastsecurity.blogspot.com/2008/11/cookie-forcing.html
>
> I am releasing this bug (in a personal capacity) because Adobe have
> been doing nothing with it for just short of three months and deem it
> to be not an issue. If this vulnerability affects your site, then
> disable the affected plug-in, or Omniture as a whole. If you wish to
> contact Apple (psirt@...be.com) about this bug, then please refer to
> PSIRT issue #798. I believe that it is more responsible to release
> this publically, than to leave it "undiscovered" in the product.
>
> Hardly a critical bug, but notable because it will apparently never be
> fixed (or I am wrong and no such issue exists).
>
> The affected code snippet is reproduced below.
>
> ####
>
> s_object_name.crossVisitParticipation = function(val, cookie_name, ex,
> ct, dl, events)
> {
> ...
> var cookie_value = this.cookie_read(cookie_name);
> ...
> var h = new Array;
> if (cookie_value && cookie_value != "")
> {
> arry = eval(cookie_value);
> }
> ...
>
> ####
>
>
> Cheers,
>
> Tom
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists