Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

URL Personalization Guideline Query

polik335
Level 1
Level 1

Hi

 

Just a general question, according to the latest Adobe guidelines it states to avoid URL peronalization e.g. <%= url >, https://<%= url >, https://<%= domain >/path etc. Does anyone know when this came in to effect or has this always been there? The guidelines was updated in Apr 2020 but I want to understand has this always been the case or is new?.

 

Regards Polik

Adobe Campaign Classic domain personlization URL
1 Accepted Solution
Darren_Bowers
Correct answer by
Community Advisor
Community Advisor

Vulnerabilities are always being discovered and the issue seems to be with a third-party library called Tidy. Apparently this library randomly doesn't patch URLs correctly which might lead to the security vulnerability (open redirect hijack / phishing).

Hard to tell if this is a new issue with no patch or its an legacy issue that was just discovered or just that Campaign uses a legacy version with the vulnerability that was eventually patched. Either way, the recommendation is not to encode hostnames in your personalised URLs.

I would say the fact that we all got an important email was this was just discovered or just exploited in the wild, but that's just speculation. The email was worded carefully "...Adobe is currently not aware of any threat actor having used this attack method in connection with your Campaign Classic instance..."

Adobe security bulletins and CVE database listings don't show anything new

 

View solution in original post

2 Replies
Darren_Bowers
Correct answer by
Community Advisor
Community Advisor

Vulnerabilities are always being discovered and the issue seems to be with a third-party library called Tidy. Apparently this library randomly doesn't patch URLs correctly which might lead to the security vulnerability (open redirect hijack / phishing).

Hard to tell if this is a new issue with no patch or its an legacy issue that was just discovered or just that Campaign uses a legacy version with the vulnerability that was eventually patched. Either way, the recommendation is not to encode hostnames in your personalised URLs.

I would say the fact that we all got an important email was this was just discovered or just exploited in the wild, but that's just speculation. The email was worded carefully "...Adobe is currently not aware of any threat actor having used this attack method in connection with your Campaign Classic instance..."

Adobe security bulletins and CVE database listings don't show anything new

 

View solution in original post

polik335
Level 1
Level 1
Good know and I think you may be right as I was alerted by Adobe a few days later that an endpoint had been compromised through the use of personalized URLs (only affected less than a handful of people). Since then we have worked with Adobe to mitigate the issue with following best practices, whitelisting and some other measures we are waiting on Adobe for. Thanks