Hey Tom, I don't know how you researched and find the issue. Funny is that I found it some weeks ago as well with a not-yet-released-tool-for-finding-DOMXss called "DOMInator", but I decided to wait a bit to understand if it was exploitable and in which conditions. The only thing I can tell you is that on some site it is actually exploitable from query string. I know analyzing Js is such a pain in the ass, so I can understand the situation. Nonetheless Adobe Psirt seems not to have really understood the problem.
I sent an email to psirt some hours ago before reading your email. Hopefully my email with a working poc and yours on F-D will force them in fixing the vuln. Keep up! Stefano -- ...oOOo...oOOo.... Stefano Di Paola Software & Security Engineer Owasp Italy R&D Director CTO @ MindedSecurity.com Web: www.wisec.it Twitter: http://twitter.com/WisecWisec Il giorno mar, 29/03/2011 alle 15.54 +0100, Tom Keetch ha scritto: > Hi All, > > Adobe have yet to set a fix date for this cookie forcing issue I found > in their Omniture product. If the affected "plug-in" is installed on a > HTTPS protected site, then by setting a malicious cookie for the > insecure domain, it is possible to hijack secure connections to the > domain by injecting malicious JavaScript into the page via the cookie. > This issue would be exploitable by a malicious WiFi access point. > > Chris Evans at Google explains this class of issue in far more detail here: > http://scarybeastsecurity.blogspot.com/2008/11/cookie-forcing.html > > I am releasing this bug (in a personal capacity) because Adobe have > been doing nothing with it for just short of three months and deem it > to be not an issue. If this vulnerability affects your site, then > disable the affected plug-in, or Omniture as a whole. If you wish to > contact Apple ([email protected]) about this bug, then please refer to > PSIRT issue #798. I believe that it is more responsible to release > this publically, than to leave it "undiscovered" in the product. > > Hardly a critical bug, but notable because it will apparently never be > fixed (or I am wrong and no such issue exists). > > The affected code snippet is reproduced below. > > #### > > s_object_name.crossVisitParticipation = function(val, cookie_name, ex, > ct, dl, events) > { > ... > var cookie_value = this.cookie_read(cookie_name); > ... > var h = new Array; > if (cookie_value && cookie_value != "") > { > arry = eval(cookie_value); > } > ... > > #### > > > Cheers, > > Tom > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
