Adobe InDesign Server SOAP interface RunScript command execution

Added: 02/04/2013
BID: 56574
OSVDB: 87548

Background

Adobe InDesign is a desktop publishing application. It includes a server interface providing an API for software developers using SOAP.

Problem

The SOAP interface in Adobe InDesign Server allows remote, unauthenticated attackers to run arbitrary commands contained in a RunScript SOAP message.

Resolution

No patches were available at the time of this writing. Disable the Adobe InDesign Server or block access to port 12345/TCP at the firewall.

References

http://secunia.com/advisories/48572/

Limitations

Exploit works on Adobe InDesign Server CS6 8.0.0.370 on Windows Server 2008 R2 SP1 (DEP OptOut).

Platforms

Windows

Back to exploit index