The library is also affected by sql inyection, css, etc. The web application must be review and fixed. Cesar. --- Vladimir Katalov <infoat_private> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: MD5 > > > Find attached the detailed information about the > bugs/vulnerabilities > we have found in The Adobe eBook Library. > > - -- > Sincerely yours, > Vladimir > > Vladimir Katalov > Managing Director > ElcomSoft Co.Ltd. > Member of Russian Cryptology Association > mailto:infoat_private > http://www.elcomsoft.com (Corporate site) > http://www.crackpassword.com (Password Recovery > Software) > > -----BEGIN PGP SIGNATURE----- > Version: 2.6 > > iQEVAwUAPS7D14avf/iY3ldlAQFtbQf/TAvucVkcbkK63KOg/bVUXRzg8I106UaT > kROzh9GoqJPxh9Gp5xFJASg5cGPrHaNeDq6kMksHBL4EBpsUtjheCaZGBk0w66GK > +Kj6A0X1QW28/vTo9GKcBlLB3TGkVQrrCod7ofluIJHe9Jcd+ca85s9BfiEm02B+ > MplH5hkQGrE2G4M+UPRATpzXAgvyu1eW+IA5l3aNmDOQNrXsAZchR8mZm7KY3E2H > sjTS9rnDkH8CdjV04WB8C7D7d/yoWVdL/MG0ghRekw1TUeyFjtFEKv62EsU6zBMV > +1gNk56LXEWMJHKsMU81kPRrmCQNwtL7zM+ApHIu6sXqMQ+fsJEc4Q== > =iwne > -----END PGP SIGNATURE-----> CONTACT INFORMATION > =============================================================================== > > Name : Vladimir Katalov > E-mail : infoat_private > Phone / fax : +7 095 216-7937 > +1 866 448-2703 (fax; US, > toll-free) > Affiliation and address: 2-171 generala Antonova > st. > Moscow 117279 > Russia > > > TECHNICAL INFO > =============================================================================== > > Description > ----------- > > Adobe Systems Incorporated (http://www.adobe.com) > recently opened > a special web site to demonstrate the new library > features of > Adobe Content Server 3.0 > (http://www.adobe.com/products/contentserver). > According to Adobe description, "The Adobe eBook > Library uses Adobe > Content Server as a secure repository for the > eBooks". The library > is located at: > > http://librarydemo.adobe.com/library/ > > There are a few books available -- 5 copies of > each. The customer > can borrow any book for a fixed period of time > (one or three days); > when one customer gets a book, the counter > ("number of books > available") is decreased, and when it reaches > zero, this book > becomes not available until at least one other > customer will return > it to the library, or loan period will expire. > However, there are three > bugs/vulnerabilities there: > > 1. It is possible to get all available copies of > any book -- > Adobe Acrobat eBook Reader doesn't check if you > have borrowed the > given book already. > > 2. The loan period (one or three days) is not > verified. It is implemented > in the script using the following > > <FORM id=form2 name="form2" > ACTION="http://librarydemo.adobe.com/library/download.asp" > METHOD="POST"> > <INPUT type=hidden value=133 name=bookid> > <INPUT type=radio CHECKED value=1440 > name=loanMin> Borrow for 1 day<BR> > <INPUT type=radio value=4320 name=loanMin> > Borrow for 3 days<BR> > ... > > The value of loanMin is the loan period in > minutes (1440 for one > day, and 4320 for three days). It is possible > to save the form to > the local disk, change one of the values to the > one you need (i.e. > 525600 for one year), load the updated form > into the browser, and > by pressing the "Add to bookbag" button borrow > this book for the > selected ("fake") period. > > 3. When the book counter reaches zero, the user > can see a note near the > book description: > > There are currently none available. > Please check back later. > > However, the "Add to bookbag" button is still > available and working > just fine, i.e. it is still possible to get > another copy (copies) of > the book. And the "Number of Books" counter (on > the library page) > becomes negative. > > The impact > ---------- > > By combining bugs [1] and [2], it is very easy to > implement something > like "Denial-of-service" attack for the library: > just get all copies of > all books from the library (for very large period > of time -- e.g. a few > years). So no books will be available to anybody > else. > > Besides, there is ability to borrow the books for > unlimited time. > > Possible workaround/fixes > ------------------------- > > The script should verify 'loanMin' input value, > and should > not allow to borrow the book if it does not match > pre-defined > values, or if number of books available is already > zero. > > > OTHER INFORMATION > =========================================================================== > > Some time ago we have found much more serious > problem with another > Adobe software and reported it to the vendor; > however, there was no > response at all, and so we decided not to waste > our time reporting > this one (about the library) to Adobe. > __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com
This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 12:04:15 PDT