Re: Adobe Omniture: Cookie-Forcing Issue

[Stefano Di Paola <wisec () wisec it>]

Hey Tom,
I don't know how you researched and find the issue. 
Funny is that I found it some weeks ago as well with a
not-yet-released-tool-for-finding-DOMXss called "DOMInator",  but I
decided to wait a bit to understand if it was exploitable and in which
conditions.
The only thing I can tell you is that on some site it is actually
exploitable from query string.
I know analyzing Js is such a pain in the ass, so I can understand the
situation.  Nonetheless Adobe Psirt seems not to have really understood
the problem.

I sent an email to psirt some hours ago before reading your email.
Hopefully my email with a working poc and yours on F-D will force them
in fixing the vuln.

Keep up!
Stefano

-- 
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer
Owasp Italy R&D Director
CTO @ MindedSecurity.com 

Web: www.wisec.it 
Twitter: http://twitter.com/WisecWisec



Il giorno mar, 29/03/2011 alle 15.54 +0100, Tom Keetch ha scritto:
> Hi All,
>
> Adobe have yet to set a fix date for this cookie forcing issue I found
> in their Omniture product. If the affected "plug-in" is installed on a
> HTTPS protected site, then by setting a malicious cookie for the
> insecure domain, it is possible to hijack secure connections to the
> domain by injecting malicious JavaScript into the page via the cookie.
> This issue would be exploitable by a malicious WiFi access point.
>
> Chris Evans at Google explains this class of issue in far more detail here:
> http://scarybeastsecurity.blogspot.com/2008/11/cookie-forcing.html
>
> I am releasing this bug (in a personal capacity) because Adobe have
> been doing nothing with it for just short of three months and deem it
> to be not an issue. If this vulnerability affects your site, then
> disable the affected plug-in, or Omniture as a whole. If you wish to
> contact Apple (psirt () adobe com) about this bug, then please refer to
> PSIRT issue #798. I believe that it is more responsible to release
> this publically, than to leave it "undiscovered" in the product.
>
> Hardly a critical bug, but notable because it will apparently never be
> fixed (or I am wrong and no such issue exists).
>
> The affected code snippet is reproduced below.
>
> ####
>
> s_object_name.crossVisitParticipation = function(val, cookie_name, ex,
> ct, dl, events)
> {
> ...
>     var cookie_value = this.cookie_read(cookie_name);
> ...
>     var h = new Array;
>     if (cookie_value && cookie_value != "")
>     {
>         arry = eval(cookie_value);
>     }
> ...
>
> ####
>
>
> Cheers,
>
> Tom
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/