Adobe SVG Viewer (ASV) getURL() and postURL() Methods Restriction Bypass Vulnerability

vendor:

SVG Viewer

by:

SecurityFocus

7.5

CVSS

HIGH

Restriction Bypass

CWE

Product Name: SVG Viewer

Affected Version From: 3.0 and prior

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: a:adobe:svg_viewer

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Internet Explorer and other browsers

2002

Adobe SVG Viewer (ASV) getURL() and postURL() Methods Restriction Bypass Vulnerability

Adobe SVG Viewer (ASV) is prone to an issue in the implementation of the getURL() and postURL() methods. These methods are designed to prevent access to URIs in a foreign domain or local files. However, by using a redirect when calling these methods, it is possible to bypass these restrictions. This could be exploited to read local or remote files, potentially exposing sensitive information and allowing for theft of cookie-based authentication credentials.

Mitigation:

Adobe has released a patch to address this issue. Users should upgrade to the latest version of Adobe SVG Viewer.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/8785/info

Adobe SVG Viewer (ASV) is prone to an issue in the implementation of the getURL() and postURL() methods. These methods are designed to prevent access to URIs in a foreign domain or local files. However, by using a redirect when calling these methods, it is possible to bypass these restrictions. This could be exploited to read local or remote files, potentially exposing sensitive information and allowing for theft of cookie-based authentication credentials. The attack vectors may vary depending on whether the viewer is operating on its own or used as a plug-in for Internet Explorer (or other browsers).

ASV 3.0 and prior are reported to be prone to this vulnerability. 

getURL(
"rd.asp",
function (oResponse) {
parent.alert(oResponse.content);
}
);