[NEWS] The Adobe eBook Library's Multiple Vulnerabilities

From: support@securiteam.com
Date: 07/14/02

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 14 Jul 2002 10:17:38 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  The Adobe eBook Library's Multiple Vulnerabilities


Adobe Systems Incorporated recently opened a special web site to
demonstrate the new library features of
<http://www.adobe.com/products/contentserver> Adobe Content Server.
According to Adobe, "The Adobe eBook Library uses Adobe Content Server as
a secure repository for the eBooks". This is contrary to what
vulnerabilities have been found in the product. The vulnerabilities range
from loaning of content multiple times, loaning the content to an extended
period (more than it is been intended) and loaning of content even if its
not available (the loans counter will become negative).


1. It is possible to get all available copies of any book -- Adobe Acrobat
eBook Reader does not check if you have borrowed the given book already.

2. The loan period (one or three days) is not verified. It is implemented
in the script using the following

      <FORM id=form2 name="form2"
ACTION="http://librarydemo.adobe.com/library/download.asp" METHOD="POST">
        <INPUT type=hidden value=133 name=bookid>
        <INPUT type=radio CHECKED value=1440 name=loanMin> Borrow for 1
day <BR>
        <INPUT type=radio value=4320 name=loanMin> Borrow for 3 days <BR>

The value of loanMin is the loan period in minutes (1440 for one day, and
4320 for three days). It is possible to save the form to the local disk,
change one of the values to the one you need (i.e. 525600 for one year),
load the updated form into the browser, and by pressing the "Add to
bookbag" button borrow this book for the selected ("fake") period.

3. When the book counter reaches zero, the user can see a note near the
book description:

      There are currently none available.
      Please check back later.

However, the "Add to bookbag" button is still available and working just
fine, i.e. it is still possible to get another copy (copies) of the book.
In addition, the "Number of Books" counter (on the library page) becomes

By combining bugs [1] and [2], it is very easy to implement something like
"Denial-of-service" attack for the library: just get all copies of all
books from the library (for very large period -- e.g. a few years).
Therefore, no books will be available to anybody else.


The information has been provided by <mailto:info@elcomsoft.com> Vladimir


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.