Adobe BlazeDS信息泄漏漏洞

漏洞起因
输入验证错误
危险等级

 
影响系统
Adobe LiveCycle Data Services 2.6.1
Adobe LiveCycle Data Services 2.5.1
Adobe LiveCycle Data Services 3.0
Adobe LiveCycle 8.2.1
Adobe LiveCycle 8.0.1
Adobe LiveCycle 9.0
Adobe Flex Data Services 2.0.1
Adobe ColdFusion 8.0.1
Adobe ColdFusion 7.0.2
Adobe ColdFusion 9.0
Adobe ColdFusion 8
Adobe ColdFusion 8
Adobe BlazeDS 3.2
 
不受影响系统
 
危害
远程攻击者可以利用漏洞获得敏感信息。
 
攻击所需条件
攻击者必须构建恶意WEB页,诱使用户解析。
 
漏洞信息
Adobe BlazeDS是一款基于服务器的Java 远程控制(remoting)和Web消息传递(messaging)技术, 它能够使得后端的Java应用程序和运行在浏览器上的Adobe Flex应用程序相互通信。
Adobe BlazeDS处理入站请求,XML外部实体引用和注入标签时存在漏洞,可导致泄漏敏感信息。
 
测试方法
 
厂商解决方案
用户可参考供应商提供的补丁信息:
Adobe LiveCycle Data Services 3.0
Adobe lcds3_hf_262986.zip
http://download.macromedia.com/pub/security/bulletins/lcds3_hf_262986.zip
Adobe ColdFusion 9.0
Adobe Coldfusion9BlazeDS.zip
http://kb2.adobe.com/cps/822/cpsid_82241/attachments/Coldfusion9BlazeDS.zip
Adobe Coldfusion9LCDS.zip
http://kb2.adobe.com/cps/822/cpsid_82241/attachments/Coldfusion9LCDS.zip
Adobe ColdFusion 8
Adobe Coldfusion8LCDS.zip
http://kb2.adobe.com/cps/822/cpsid_82241/attachments/Coldfusion8LCDS.zip
Adobe LiveCycle 9.0
Adobe livecycle9_0.zip
http://download.macromedia.com/pub/security/bulletins/livecycle9_0.zip
Adobe ColdFusion 8
Adobe Coldfusion8LCDS.zip
http://kb2.adobe.com/cps/822/cpsid_82241/attachments/Coldfusion8LCDS.zip
Adobe BlazeDS 3.2
Adobe /blz32_hf_12617.zip
http://download.macromedia.com/pub/security/bulletins/blz32_hf_12617.zip
Adobe Flex Data Services 2.0.1
Adobe fds201_hf_262793b.zip
http://download.macromedia.com/pub/security/bulletins/fds201_hf_262793b.zip
Adobe LiveCycle Data Services 2.5.1
Adobe lcds251_hf_262793.zip
http://download.macromedia.com/pub/security/bulletins/lcds251_hf_262793.zip
Adobe LiveCycle Data Services 2.6.1
Adobe /lcds261_hf_262977.zip
http://download.macromedia.com/pub/security/bulletins/lcds261_hf_262977.zip
Adobe ColdFusion 7.0.2
Adobe Coldfusion7FlexDS.zip
http://kb2.adobe.com/cps/822/cpsid_82241/attachments/Coldfusion7FlexDS.zip
Adobe LiveCycle 8.0.1
Adobe livecycle8_0_1.zip
http://download.macromedia.com/pub/security/bulletins/livecycle8_0_1.zip
Adobe ColdFusion 8.0.1
Adobe Coldfusion8LCDS.zip
http://kb2.adobe.com/cps/822/cpsid_82241/attachments/Coldfusion8LCDS.zip
Adobe LiveCycle 8.2.1
Adobe livecycle8_2_1.zip
http://download.macromedia.com/pub/security/bulletins/livecycle8_2_1.zip
 
漏洞提供者
Roberto Suggi Liverani of Security-Assessment.com

发表评论?

0 条评论。

发表评论