SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Adobe Content Server Vendors:   Adobe Systems Incorporated
Adobe Content Server Implementation Flaws Let Remote Users Borrow All Copies of an E-Book for an Unlimited Time, Execute Arbitrary SQL Commands, and Conduct Cross-site Scripting Attacks
SecurityTracker Alert ID:  1004766
SecurityTracker URL:  http://securitytracker.com/id/1004766
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 15 2002
Impact:   Denial of service via network, Disclosure of authentication information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 3.0
Description:   Several vulnerabilities were reported in the Adobe Content Server. A remote user can check out all available copies of any e-book hosted on the server and can borrow for an unlimited period of time, denying other users access to the e-book. A remote user can execute SQL commands and conduct cross-site scripting attacks.

According to the report, the Adobe Acrobat eBook Reader doesn't check to see if you have already borrowed a particular book, so a remote user can check out all available copies of a book.

The loan period is reportedly specified in the 'loanMin' value of an HTML form and is not verified. A remote user can modify the loanMin period (specified in minutes) to obtain an extended loan period.

When the book counter reaches zero, indicating that there are no more book copies available, a remote user can still use the "Add to bookbag" button to obtain a copy. This will cause the "Number of Books" counter on the library page to become negative.

Another user has separately reported that the library also suffers from input validation flaws, allowing a remote user to inject arbitrary SQL commands to be executed by the database server and to conduct cross-site scripting attacks against other library users. The specific nature of the input validation flaws was not reported.

In general, cross-site scripting attacks allow a remote user to create a URL or a web page entry that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will appear to originate or will actually originate from the vulnerable web site, running in the security context of that site. As a result, the code will be able to access the target user's cookies associated with that site (if any), access data recently submitted by the target user to the site via a web form, and take actions on the web site acting as the target user.

Impact:   A remote user can obtain all copies of an available book for a long period of time to deny other users access to the book. A remote user can borrow a book for an unlimited period of time. A remote user can cause the server to executed arbitrary SQL commands.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.adobe.com/products/contentserver/main.html (Links to External Site)
Cause:   Exception handling error, Input validation error, State error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Vulnerability found: The Adobe eBook Library


------------A2117E533986C45
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5


Find attached the detailed information about the bugs/vulnerabilities
we have found in The Adobe eBook Library.

- --
Sincerely yours,
  Vladimir

Vladimir Katalov
Managing Director
ElcomSoft Co.Ltd.
Member of Russian Cryptology Association
mailto:info@elcomsoft.com
http://www.elcomsoft.com (Corporate site)
http://www.crackpassword.com (Password Recovery Software)

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQEVAwUAPS7D14avf/iY3ldlAQFtbQf/TAvucVkcbkK63KOg/bVUXRzg8I106UaT
kROzh9GoqJPxh9Gp5xFJASg5cGPrHaNeDq6kMksHBL4EBpsUtjheCaZGBk0w66GK
+Kj6A0X1QW28/vTo9GKcBlLB3TGkVQrrCod7ofluIJHe9Jcd+ca85s9BfiEm02B+
MplH5hkQGrE2G4M+UPRATpzXAgvyu1eW+IA5l3aNmDOQNrXsAZchR8mZm7KY3E2H
sjTS9rnDkH8CdjV04WB8C7D7d/yoWVdL/MG0ghRekw1TUeyFjtFEKv62EsU6zBMV
+1gNk56LXEWMJHKsMU81kPRrmCQNwtL7zM+ApHIu6sXqMQ+fsJEc4Q==
=iwne
-----END PGP SIGNATURE-----


CONTACT INFORMATION
===============================================================================

 Name			: Vladimir Katalov
 E-mail			: info@elcomsoft.com
 Phone / fax		: +7 095 216-7937
                          +1 866 448-2703 (fax; US, toll-free)
 Affiliation and address: 2-171 generala Antonova st.
                          Moscow 117279
                          Russia


TECHNICAL INFO
===============================================================================

Description
-----------

  Adobe Systems Incorporated (http://www.adobe.com) recently opened
  a special web site to demonstrate the new library features of
  Adobe Content Server 3.0 (http://www.adobe.com/products/contentserver).
  According to Adobe description, "The Adobe eBook Library uses Adobe
  Content Server as a secure repository for the eBooks". The library
  is located at:

  http://librarydemo.adobe.com/library/

  There are a few books available -- 5 copies of each. The customer
  can borrow any book for a fixed period of time (one or three days);
  when one customer gets a book, the counter ("number of books
  available") is decreased, and when it reaches zero, this book
  becomes not available until at least one other customer will return
  it to the library, or loan period will expire. However, there are three
  bugs/vulnerabilities there:

  1. It is possible to get all available copies of any book --
     Adobe Acrobat eBook Reader doesn't check if you have borrowed the
     given book already. 

  2. The loan period (one or three days) is not verified. It is implemented
     in the script using the following

     <FORM id=form2 name="form2" ACTION="http://librarydemo.adobe.com/library/download.asp" METHOD="POST">
       <INPUT type=hidden value=133 name=bookid> 
       <INPUT type=radio CHECKED value=1440 name=loanMin> Borrow for 1 day<BR>
       <INPUT type=radio value=4320 name=loanMin> Borrow for 3 days<BR>
       ...

     The value of loanMin is the loan period in minutes (1440 for one
     day, and 4320 for three days). It is possible to save the form to
     the local disk, change one of the values to the one you need (i.e.
     525600 for one year), load the updated form into the browser, and
     by pressing the "Add to  bookbag" button borrow this book for the
     selected ("fake") period. 

  3. When the book counter reaches zero, the user can see a note near the
     book description: 

     There are currently none available.
     Please check back later. 

     However, the "Add to  bookbag" button is still available and working
     just fine, i.e. it is still possible to get another copy (copies) of
     the book. And the "Number of Books" counter (on the library page)
     becomes negative.

The impact
----------

  By combining bugs [1] and [2], it is very easy to implement something
  like "Denial-of-service" attack for the library: just get all copies of
  all books from the library (for very large period of time -- e.g. a few
  years). So no books will be available to anybody else.

  Besides, there is ability to borrow the books for unlimited time.

Possible workaround/fixes
-------------------------

  The script should verify 'loanMin' input value, and should
  not allow to borrow the book if it does not match pre-defined
  values, or if number of books available is already zero.


OTHER INFORMATION
===========================================================================

  Some time ago we have found much more serious problem with another
  Adobe software and reported it to the vendor; however, there was no
  response at all, and so we decided not to waste our time reporting
  this one (about the library) to Adobe.



------------A2117E533986C45
Content-Type: text/plain; name="vuln-adobe-library.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="vuln-adobe-library.txt"

Q09OVEFDVCBJTkZPUk1BVElPTg0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KDQogTmFtZQkJCTog
VmxhZGltaXIgS2F0YWxvdg0KIEUtbWFpbAkJCTogaW5mb0BlbGNvbXNvZnQuY29tDQogUGhvbmUg
LyBmYXgJCTogKzcgMDk1IDIxNi03OTM3DQogICAgICAgICAgICAgICAgICAgICAgICAgICsxIDg2
NiA0NDgtMjcwMyAoZmF4OyBVUywgdG9sbC1mcmVlKQ0KIEFmZmlsaWF0aW9uIGFuZCBhZGRyZXNz
OiAyLTE3MSBnZW5lcmFsYSBBbnRvbm92YSBzdC4NCiAgICAgICAgICAgICAgICAgICAgICAgICAg
TW9zY293IDExNzI3OQ0KICAgICAgICAgICAgICAgICAgICAgICAgICBSdXNzaWENCg0KDQpURUNI
TklDQUwgSU5GTw0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KDQpEZXNjcmlwdGlvbg0KLS0tLS0t
LS0tLS0NCg0KICBBZG9iZSBTeXN0ZW1zIEluY29ycG9yYXRlZCAoaHR0cDovL3d3dy5hZG9iZS5j
b20pIHJlY2VudGx5IG9wZW5lZA0KICBhIHNwZWNpYWwgd2ViIHNpdGUgdG8gZGVtb25zdHJhdGUg
dGhlIG5ldyBsaWJyYXJ5IGZlYXR1cmVzIG9mDQogIEFkb2JlIENvbnRlbnQgU2VydmVyIDMuMCAo
aHR0cDovL3d3dy5hZG9iZS5jb20vcHJvZHVjdHMvY29udGVudHNlcnZlcikuDQogIEFjY29yZGlu
ZyB0byBBZG9iZSBkZXNjcmlwdGlvbiwgIlRoZSBBZG9iZSBlQm9vayBMaWJyYXJ5IHVzZXMgQWRv
YmUNCiAgQ29udGVudCBTZXJ2ZXIgYXMgYSBzZWN1cmUgcmVwb3NpdG9yeSBmb3IgdGhlIGVCb29r
cyIuIFRoZSBsaWJyYXJ5DQogIGlzIGxvY2F0ZWQgYXQ6DQoNCiAgaHR0cDovL2xpYnJhcnlkZW1v
LmFkb2JlLmNvbS9saWJyYXJ5Lw0KDQogIFRoZXJlIGFyZSBhIGZldyBib29rcyBhdmFpbGFibGUg
LS0gNSBjb3BpZXMgb2YgZWFjaC4gVGhlIGN1c3RvbWVyDQogIGNhbiBib3Jyb3cgYW55IGJvb2sg
Zm9yIGEgZml4ZWQgcGVyaW9kIG9mIHRpbWUgKG9uZSBvciB0aHJlZSBkYXlzKTsNCiAgd2hlbiBv
bmUgY3VzdG9tZXIgZ2V0cyBhIGJvb2ssIHRoZSBjb3VudGVyICgibnVtYmVyIG9mIGJvb2tzDQog
IGF2YWlsYWJsZSIpIGlzIGRlY3JlYXNlZCwgYW5kIHdoZW4gaXQgcmVhY2hlcyB6ZXJvLCB0aGlz
IGJvb2sNCiAgYmVjb21lcyBub3QgYXZhaWxhYmxlIHVudGlsIGF0IGxlYXN0IG9uZSBvdGhlciBj
dXN0b21lciB3aWxsIHJldHVybg0KICBpdCB0byB0aGUgbGlicmFyeSwgb3IgbG9hbiBwZXJpb2Qg
d2lsbCBleHBpcmUuIEhvd2V2ZXIsIHRoZXJlIGFyZSB0aHJlZQ0KICBidWdzL3Z1bG5lcmFiaWxp
dGllcyB0aGVyZToNCg0KICAxLiBJdCBpcyBwb3NzaWJsZSB0byBnZXQgYWxsIGF2YWlsYWJsZSBj
b3BpZXMgb2YgYW55IGJvb2sgLS0NCiAgICAgQWRvYmUgQWNyb2JhdCBlQm9vayBSZWFkZXIgZG9l
c24ndCBjaGVjayBpZiB5b3UgaGF2ZSBib3Jyb3dlZCB0aGUNCiAgICAgZ2l2ZW4gYm9vayBhbHJl
YWR5LiANCg0KICAyLiBUaGUgbG9hbiBwZXJpb2QgKG9uZSBvciB0aHJlZSBkYXlzKSBpcyBub3Qg
dmVyaWZpZWQuIEl0IGlzIGltcGxlbWVudGVkDQogICAgIGluIHRoZSBzY3JpcHQgdXNpbmcgdGhl
IGZvbGxvd2luZw0KDQogICAgIDxGT1JNIGlkPWZvcm0yIG5hbWU9ImZvcm0yIiBBQ1RJT049Imh0
dHA6Ly9saWJyYXJ5ZGVtby5hZG9iZS5jb20vbGlicmFyeS9kb3dubG9hZC5hc3AiIE1FVEhPRD0i
UE9TVCI+DQogICAgICAgPElOUFVUIHR5cGU9aGlkZGVuIHZhbHVlPTEzMyBuYW1lPWJvb2tpZD4g
DQogICAgICAgPElOUFVUIHR5cGU9cmFkaW8gQ0hFQ0tFRCB2YWx1ZT0xNDQwIG5hbWU9bG9hbk1p
bj4gQm9ycm93IGZvciAxIGRheTxCUj4NCiAgICAgICA8SU5QVVQgdHlwZT1yYWRpbyB2YWx1ZT00
MzIwIG5hbWU9bG9hbk1pbj4gQm9ycm93IGZvciAzIGRheXM8QlI+DQogICAgICAgLi4uDQoNCiAg
ICAgVGhlIHZhbHVlIG9mIGxvYW5NaW4gaXMgdGhlIGxvYW4gcGVyaW9kIGluIG1pbnV0ZXMgKDE0
NDAgZm9yIG9uZQ0KICAgICBkYXksIGFuZCA0MzIwIGZvciB0aHJlZSBkYXlzKS4gSXQgaXMgcG9z
c2libGUgdG8gc2F2ZSB0aGUgZm9ybSB0bw0KICAgICB0aGUgbG9jYWwgZGlzaywgY2hhbmdlIG9u
ZSBvZiB0aGUgdmFsdWVzIHRvIHRoZSBvbmUgeW91IG5lZWQgKGkuZS4NCiAgICAgNTI1NjAwIGZv
ciBvbmUgeWVhciksIGxvYWQgdGhlIHVwZGF0ZWQgZm9ybSBpbnRvIHRoZSBicm93c2VyLCBhbmQN
CiAgICAgYnkgcHJlc3NpbmcgdGhlICJBZGQgdG8gIGJvb2tiYWciIGJ1dHRvbiBib3Jyb3cgdGhp
cyBib29rIGZvciB0aGUNCiAgICAgc2VsZWN0ZWQgKCJmYWtlIikgcGVyaW9kLiANCg0KICAzLiBX
aGVuIHRoZSBib29rIGNvdW50ZXIgcmVhY2hlcyB6ZXJvLCB0aGUgdXNlciBjYW4gc2VlIGEgbm90
ZSBuZWFyIHRoZQ0KICAgICBib29rIGRlc2NyaXB0aW9uOiANCg0KICAgICBUaGVyZSBhcmUgY3Vy
cmVudGx5IG5vbmUgYXZhaWxhYmxlLg0KICAgICBQbGVhc2UgY2hlY2sgYmFjayBsYXRlci4gDQoN
CiAgICAgSG93ZXZlciwgdGhlICJBZGQgdG8gIGJvb2tiYWciIGJ1dHRvbiBpcyBzdGlsbCBhdmFp
bGFibGUgYW5kIHdvcmtpbmcNCiAgICAganVzdCBmaW5lLCBpLmUuIGl0IGlzIHN0aWxsIHBvc3Np
YmxlIHRvIGdldCBhbm90aGVyIGNvcHkgKGNvcGllcykgb2YNCiAgICAgdGhlIGJvb2suIEFuZCB0
aGUgIk51bWJlciBvZiBCb29rcyIgY291bnRlciAob24gdGhlIGxpYnJhcnkgcGFnZSkNCiAgICAg
YmVjb21lcyBuZWdhdGl2ZS4NCg0KVGhlIGltcGFjdA0KLS0tLS0tLS0tLQ0KDQogIEJ5IGNvbWJp
bmluZyBidWdzIFsxXSBhbmQgWzJdLCBpdCBpcyB2ZXJ5IGVhc3kgdG8gaW1wbGVtZW50IHNvbWV0
aGluZw0KICBsaWtlICJEZW5pYWwtb2Ytc2VydmljZSIgYXR0YWNrIGZvciB0aGUgbGlicmFyeTog
anVzdCBnZXQgYWxsIGNvcGllcyBvZg0KICBhbGwgYm9va3MgZnJvbSB0aGUgbGlicmFyeSAoZm9y
IHZlcnkgbGFyZ2UgcGVyaW9kIG9mIHRpbWUgLS0gZS5nLiBhIGZldw0KICB5ZWFycykuIFNvIG5v
IGJvb2tzIHdpbGwgYmUgYXZhaWxhYmxlIHRvIGFueWJvZHkgZWxzZS4NCg0KICBCZXNpZGVzLCB0
aGVyZSBpcyBhYmlsaXR5IHRvIGJvcnJvdyB0aGUgYm9va3MgZm9yIHVubGltaXRlZCB0aW1lLg0K
DQpQb3NzaWJsZSB3b3JrYXJvdW5kL2ZpeGVzDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoN
CiAgVGhlIHNjcmlwdCBzaG91bGQgdmVyaWZ5ICdsb2FuTWluJyBpbnB1dCB2YWx1ZSwgYW5kIHNo
b3VsZA0KICBub3QgYWxsb3cgdG8gYm9ycm93IHRoZSBib29rIGlmIGl0IGRvZXMgbm90IG1hdGNo
IHByZS1kZWZpbmVkDQogIHZhbHVlcywgb3IgaWYgbnVtYmVyIG9mIGJvb2tzIGF2YWlsYWJsZSBp
cyBhbHJlYWR5IHplcm8uDQoNCg0KT1RIRVIgSU5GT1JNQVRJT04NCj09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PQ0KDQogIFNvbWUgdGltZSBhZ28gd2UgaGF2ZSBmb3VuZCBtdWNoIG1vcmUgc2VyaW91cyBwcm9i
bGVtIHdpdGggYW5vdGhlcg0KICBBZG9iZSBzb2Z0d2FyZSBhbmQgcmVwb3J0ZWQgaXQgdG8gdGhl
IHZlbmRvcjsgaG93ZXZlciwgdGhlcmUgd2FzIG5vDQogIHJlc3BvbnNlIGF0IGFsbCwgYW5kIHNv
IHdlIGRlY2lkZWQgbm90IHRvIHdhc3RlIG91ciB0aW1lIHJlcG9ydGluZw0KICB0aGlzIG9uZSAo
YWJvdXQgdGhlIGxpYnJhcnkpIHRvIEFkb2JlLg0K

------------A2117E533986C45--


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC