exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Secunia-Adobe.txt

Secunia-Adobe.txt
Posted Apr 19, 2006
Site secunia.com

Secunia Advisory 13/04/2006 - Adobe Document Server for Reader Extensions Multiple Vulnerabilities

tags | advisory, vulnerability
SHA-256 | a3337d74ce3e7f7d86956b521ab2ed6bba9f699ed9207943d08bfdd241f2ce26

Secunia-Adobe.txt

Change Mirror Download
====================================================================== 

Secunia Research 13/04/2006

Adobe Document Server for Reader Extensions Multiple Vulnerabilities

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

======================================================================
1) Affected Software

Adobe Document Server for Reader Extensions 6.0

Included with:
Adobe Document Server 6.0 (p026)
Adobe Graphics Server 2.1 (d013)

NOTE: Other versions may also be affected.

======================================================================
2) Severity

Rating: Less critical
Impact: Exposure of Sensitive Information
Cross-Site Scripting
Security Bypass
Where: Remote

======================================================================
3) Vendor's Description of Software

"Easily share interactive, intelligent Adobe Portable Document Format
(PDF) documents with external parties — without requiring respondents
to invest in costly software.".

Product Link:
http://www.adobe.com/products/server/readerextensions/main.html

======================================================================
4) Description of Vulnerability

Secunia Research has discovered multiple vulnerabilities in Adobe
Document Server for Reader Extensions, which can be exploited by
malicious users to bypass certain security restrictions and conduct
script insertion attacks, or by malicious people to gain knowledge of
sensitive information or conduct cross-site scripting attacks.

1) Missing access control restrictions in the Adobe Document Server for
Reader Extensions (ads-readerext) can be exploited by authenticated
users to access functionality, which they should not have access to, by
manipulating the "actionID" and "pageID" parameters.

Successful exploitation e.g. allows a low-privileged user with "Draft"
permissions to create a new administrative user account.

2) Input passed to the "ReaderURL" variable in the "Update Download
Site" section of ads-readerext is not properly sanitised before being
used. This can be exploited to insert arbitrary script code (prefixed
with either "ftp://" or "http://"), which will be executed in an
administrative user's browser session when logging in.

Normally, editing this field requires administrative privileges.
However, this can be combined with vulnerability #1 and therefore be
exploited by any valid user.

3) Input passed to the "actionID" parameter in ads-readerext and the
"op" parameter in Adobe Server Web Services (AlterCast) is not properly
sanitised before being returned to users. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of a vulnerable site.

Examples:
http://[host]:8019/ads-readerext/ads-readerext?actionID=[code]
http://[host]:8019/altercast/AlterCast?op=[code]

4) Different error messages are returned when attempting to log into
ads-readerext depending on whether or not the supplied username exists.
This can be exploited to enumerate valid accounts.

5) A user's session ID for ads-readerext is passed in the URL
("jsessionid" parameter) and exposed to other web sites in the
"Referer:" header.

======================================================================
5) Solution

Update to the current version of Adobe Document Server for Reader
Extensions.

NOTE: Adobe Document Server for Reader Extensions 6.0 is no longer a
supported product. Adobe has shipped two subsequent versions (Adobe
Document Server for Reader Extensions 6.1 and LiveCycle Reader
Extensions 7.0) both of which are not affected.

======================================================================
6) Time Table

26/07/2005 - Initial vendor notification.
26/07/2005 - Initial vendor reply.
13/04/2006 - Public disclosure.

======================================================================
7) Credits

Discovered by Carsten Eiram and Tan Chew Keong, Secunia Research.

======================================================================
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2006-1627 for the vulnerability.

Adobe:
http://www.adobe.com/support/techdocs/322699.html
http://www.adobe.com/support/techdocs/331915.html
http://www.adobe.com/support/techdocs/331917.html

======================================================================
9) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
10) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-68/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close