[NEWS] The Adobe eBook Library's Multiple Vulnerabilities

From: support@securiteam.com
Date: 07/14/02


From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 14 Jul 2002 10:17:38 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  The Adobe eBook Library's Multiple Vulnerabilities
------------------------------------------------------------------------

SUMMARY

Adobe Systems Incorporated recently opened a special web site to
demonstrate the new library features of
<http://www.adobe.com/products/contentserver> Adobe Content Server.
According to Adobe, "The Adobe eBook Library uses Adobe Content Server as
a secure repository for the eBooks". This is contrary to what
vulnerabilities have been found in the product. The vulnerabilities range
from loaning of content multiple times, loaning the content to an extended
period (more than it is been intended) and loaning of content even if its
not available (the loans counter will become negative).

DETAILS

1. It is possible to get all available copies of any book -- Adobe Acrobat
eBook Reader does not check if you have borrowed the given book already.

2. The loan period (one or three days) is not verified. It is implemented
in the script using the following

      <FORM id=form2 name="form2"
ACTION="http://librarydemo.adobe.com/library/download.asp" METHOD="POST">
        <INPUT type=hidden value=133 name=bookid>
        <INPUT type=radio CHECKED value=1440 name=loanMin> Borrow for 1
day <BR>
        <INPUT type=radio value=4320 name=loanMin> Borrow for 3 days <BR>

The value of loanMin is the loan period in minutes (1440 for one day, and
4320 for three days). It is possible to save the form to the local disk,
change one of the values to the one you need (i.e. 525600 for one year),
load the updated form into the browser, and by pressing the "Add to
bookbag" button borrow this book for the selected ("fake") period.

3. When the book counter reaches zero, the user can see a note near the
book description:

      There are currently none available.
      Please check back later.

However, the "Add to bookbag" button is still available and working just
fine, i.e. it is still possible to get another copy (copies) of the book.
In addition, the "Number of Books" counter (on the library page) becomes
negative.

Impact:
By combining bugs [1] and [2], it is very easy to implement something like
"Denial-of-service" attack for the library: just get all copies of all
books from the library (for very large period -- e.g. a few years).
Therefore, no books will be available to anybody else.

ADDITIONAL INFORMATION

The information has been provided by <mailto:info@elcomsoft.com> Vladimir
Katalov.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: Vulnerability found: The Adobe eBook Library
    ... > we have found in The Adobe eBook Library. ... > can borrow any book for a fixed period of time ... or loan period will expire. ...
    (Vuln-Dev)
  • Re: ImageReady - help
    ... >Why does Adobe put out IR when they have GoLive? ... Because GoLive is a web site builder/designer app (i.e it's about page ... near as well as Dreamweaver. ... Hecate - The Real One ...
    (comp.graphics.apps.photoshop)
  • Re: word and Adobe Acrobat
    ... I use Acrobat Professional 7 with Word 2007, and it works fine for how I use it. ... But, I've never used the Adobe toolbar in Word, so I'm probably easier to please than most. ... Word MVP web site http://word.mvps.org ... I sent the error report to Microsoft and they say office 2000 is ...
    (microsoft.public.word.docmanagement)
  • Re: Advice for a re-tread
    ... a downhill slide started when ... Now that Adobe has it, ... anyone advise a good source (web site or book) that would help me make ... the PHP docs have a great little tutorial and introduction. ...
    (comp.lang.php)
  • Re: Convert Word 2000 Doc to .pdf
    ... It was certainly not part of Word, but of Acrobat (though some Adobe ... Word MVP web site http://word.mvps.org ... it seems likely that your PDF creation software is not ...
    (microsoft.public.word.conversions)