Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: adobe.com important subdomain SQL injection again!
From: Jeffrey Walton <noloader () gmail com>
Date: Sun, 19 Dec 2010 14:31:14 -0500

On Sat, Dec 18, 2010 at 6:30 PM, Victor Rigo <victor_rigo () yahoo com> wrote:

  Let's see, flash is:

- Cross-platform
- Cross-architecture
- Has it's own programming language
- Is embedded on websites
- Access to javascript to popup, local caches, etc.

* Insecure (Adobe's implementation)


  It's not ineptness, it's what you get when you right software that can
actually do stuff.

For completeness, I did not claim they are inept - only insecure. Insecurity
in the absence of ineptness is probably more egregious - they should know
better.

 It will be interesting to see if HTML 5 has as many security problems. I
would love to see an Adobe implementation of HTML 5 go head to head with
Chrome or IE. Its too bad (or perhaps we are fortunate) that Adobe does not
make browsers.

Jeff


  --- On *Sat, 12/18/10, Jeffrey Walton <noloader () gmail com>* wrote:


From: Jeffrey Walton <noloader () gmail com>
Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection
again!
To: "Maciej Gojny" <vuln () ariko-security com>
Cc: full-disclosure () lists grok org uk
Date: Saturday, December 18, 2010, 5:53 PM

  On Sat, Dec 18, 2010 at 11:58 AM, Maciej Gojny <vuln () ariko-security com<http://mc/compose?to=vuln () 
ariko-security com>>
wrote:
hello full disclosure!

After six months from the first contact with Adobe security team,
 important
adobe.com subdomain is still vulnerable to SQL injection attacks. We
hope
that this time, serious people will try to solve the problem.
There's a reason Adobe is the most attacked software [1,2], and its
probably because they write the most vulnerable software (or
adversaries are looking for a challenge, which seems less intuitive
and highly unlikely to me).

It appears "insecurity" is an enterprise wide practice, and not just
limited to their software.

Jeff

[1] "Adobe surpasses Microsoft as favorite hacker’s target" (Jul 2009)
http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/

[2] "Adobe predicted as top 2010 hacker target" (Dec 2009)
http://www.theregister.co.uk/2009/12/29/security_predictions_2010/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]