Re: adobe.com important subdomain SQL injection again!

[Jeffrey Walton <noloader () gmail com>]

On Sat, Dec 18, 2010 at 6:30 PM, Victor Rigo <victor_rigo () yahoo com> wrote:

>   Let's see, flash is:
>
> - Cross-platform
> - Cross-architecture
> - Has it's own programming language
> - Is embedded on websites
> - Access to javascript to popup, local caches, etc.
* Insecure (Adobe's implementation)


>   It's not ineptness, it's what you get when you right software that can
> actually do stuff.
For completeness, I did not claim they are inept - only insecure. Insecurity
in the absence of ineptness is probably more egregious - they should know
better.

 It will be interesting to see if HTML 5 has as many security problems. I
would love to see an Adobe implementation of HTML 5 go head to head with
Chrome or IE. Its too bad (or perhaps we are fortunate) that Adobe does not
make browsers.

Jeff


>   --- On *Sat, 12/18/10, Jeffrey Walton <noloader () gmail com>* wrote:
>
>
> From: Jeffrey Walton <noloader () gmail com>
> Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection
> again!
> To: "Maciej Gojny" <vuln () ariko-security com>
> Cc: full-disclosure () lists grok org uk
> Date: Saturday, December 18, 2010, 5:53 PM
>
>   On Sat, Dec 18, 2010 at 11:58 AM, Maciej Gojny <vuln () ariko-security com<http://mc/compose?to=vuln () 
> ariko-security com>>
> wrote:
> > hello full disclosure!
> >
> > After six months from the first contact with Adobe security team,
>  important
> > adobe.com subdomain is still vulnerable to SQL injection attacks. We
> hope
> > that this time, serious people will try to solve the problem.
> There's a reason Adobe is the most attacked software [1,2], and its
> probably because they write the most vulnerable software (or
> adversaries are looking for a challenge, which seems less intuitive
> and highly unlikely to me).
>
> It appears "insecurity" is an enterprise wide practice, and not just
> limited to their software.
>
> Jeff
>
> [1] "Adobe surpasses Microsoft as favorite hacker’s target" (Jul 2009)
> http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/
>
> [2] "Adobe predicted as top 2010 hacker target" (Dec 2009)
> http://www.theregister.co.uk/2009/12/29/security_predictions_2010/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/