[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
- To: Victor Rigo <victor_rigo@xxxxxxxxx>
- Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
- From: Jeffrey Walton <noloader@xxxxxxxxx>
- Date: Sun, 19 Dec 2010 14:31:14 -0500
On Sat, Dec 18, 2010 at 6:30 PM, Victor Rigo <victor_rigo@xxxxxxxxx> wrote:
> Let's see, flash is:
>
> - Cross-platform
> - Cross-architecture
> - Has it's own programming language
> - Is embedded on websites
> - Access to javascript to popup, local caches, etc.
>
* Insecure (Adobe's implementation)
> It's not ineptness, it's what you get when you right software that can
> actually do stuff.
>
For completeness, I did not claim they are inept - only insecure. Insecurity
in the absence of ineptness is probably more egregious - they should know
better.
It will be interesting to see if HTML 5 has as many security problems. I
would love to see an Adobe implementation of HTML 5 go head to head with
Chrome or IE. Its too bad (or perhaps we are fortunate) that Adobe does not
make browsers.
Jeff
> --- On *Sat, 12/18/10, Jeffrey Walton <noloader@xxxxxxxxx>* wrote:
>
>
> From: Jeffrey Walton <noloader@xxxxxxxxx>
> Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection
> again!
> To: "Maciej Gojny" <vuln@xxxxxxxxxxxxxxxxxx>
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
> Date: Saturday, December 18, 2010, 5:53 PM
>
> On Sat, Dec 18, 2010 at 11:58 AM, Maciej Gojny
> <vuln@xxxxxxxxxxxxxxxxxx<http://mc/compose?to=vuln@xxxxxxxxxxxxxxxxxx>>
> wrote:
> > hello full disclosure!
> >
> > After six months from the first contact with Adobe security team,
> important
> > adobe.com subdomain is still vulnerable to SQL injection attacks. We
> hope
> > that this time, serious people will try to solve the problem.
> There's a reason Adobe is the most attacked software [1,2], and its
> probably because they write the most vulnerable software (or
> adversaries are looking for a challenge, which seems less intuitive
> and highly unlikely to me).
>
> It appears "insecurity" is an enterprise wide practice, and not just
> limited to their software.
>
> Jeff
>
> [1] "Adobe surpasses Microsoft as favorite hacker’s target" (Jul 2009)
> http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/
>
> [2] "Adobe predicted as top 2010 hacker target" (Dec 2009)
> http://www.theregister.co.uk/2009/12/29/security_predictions_2010/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/