<p>
Copyright Security-Assessment.com 2010
www.security-assessment.com
Vulnerability Advisory
Name
Multiple Adobe Products XML External Entity Injection And XML Injection
CVE
CVE-2009-3960
Adobe PSIRT
APSB10-05 - http://www.adobe.com/support/security/bulletins/apsb10-05.html
Date Released
February 22, 2010
Affected Software
BlazeDS 3.2 and earlier versions
LiveCycle 9.0, 8.2.1, and 8.0.1
LiveCycle Data Services 3.0, 2.6.1, and 2.5.1
Flex Data Services 2.0.1
ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2
Researcher
Roberto Suggi Liverani roberto.suggi@security-assessment.com
Link
http://www.security-assessment.com/files/advisories/2010-02-
22_Multiple_Adobe_Products-XML_External_Entity_and _XML_Injection.pdf
Description
Security-Assessment.com discovered that multiple Adobe products with different Data Services versions are
vulnerable to XML External Entity (XXE) and XML injection attacks.
XML external Entities injection allows a wide range of XML based attacks, including local file disclosure, TCP
scans and Denial of Service condition, which can be achieved by recursive entity injection, attribute blow up and
other types of injection. For more information about the implications associated to this vulnerability, refer to the
RFC2518 (17.7 Implications of XML External Entities): http://www.ietf.org/rfc/rfc2518.txt
Product Review
Adobe Data Services components provide Flex/RIA applications with data messaging, remoting and management
capabilities.
The discovered vulnerabilities affect the HTTPChannel servlet classes which are respectively
"mx.messaging.channels.HTTPChannel" and "mx.messaging.channels.SecureHTTPChannel". These classes are
part of the Data Services Messaging classes and can be found in the flex-messaging-common.jar Java archive.
The HTTPChannel transports data in the AMFX format, which is the text-based XML representation of AMF. The
HTTPChannel endpoints are defined in the services-config.xml file, located within the Flex/WEB-INF folder of the