TITLE: Adobe Document Server for Reader Extensions Multiple Vulnerabilities SECUNIA ADVISORY ID: SA15924 VERIFY ADVISORY: http://secunia.com/advisories/15924/ CRITICAL: Less critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of sensitive information WHERE: >From remote SOFTWARE: Adobe Graphics Server 2.x http://secunia.com/product/5397/ Adobe Document Server 5.x http://secunia.com/product/8714/ Adobe Document Server 6.x http://secunia.com/product/1224/ Adobe Document Server for Reader Extensions 6.x http://secunia.com/product/9335/ DESCRIPTION: Secunia Research has discovered multiple vulnerabilities in Adobe Document Server for Reader Extensions, which can be exploited by malicious users to bypass certain security restrictions and conduct script insertion attacks, or by malicious people to gain knowledge of sensitive information or conduct cross-site scripting attacks. 1) Missing access control restrictions in the Adobe Document Server for Reader Extensions (ads-readerext) can be exploited by authenticated users to access functionality, which they should not have access to, by manipulating the "actionID" and "pageID" parameters. Successful exploitation e.g. allows a low-privileged user with "Draft" permissions to create a new administrative user account. 2) Input passed to the "ReaderURL" variable in the "Update Download Site" section of ads-readerext is not properly sanitised before being used. This can be exploited to insert arbitrary script code (prefixed with either "ftp://" or "http://"), which will be executed in an administrative user's browser session when logging in. Normally, editing this field requires administrative privileges. However, this can be combined with vulnerability #1 and therefore be exploited by any valid user. 3) Input passed to the "actionID" parameter in ads-readerext and the "op" parameter in Adobe Server Web Services (AlterCast) is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. Examples: http://[host]:8019/ads-readerext/ads-readerext?actionID=[code] http://[host]:8019/altercast/AlterCast?op=[code] 4) Different error messages are returned when attempting to log into ads-readerext depending on whether or not the supplied username exists. This can be exploited to enumerate valid accounts. 5) A user's session ID for ads-readerext is passed in the URL ("jsessionid" parameter) and exposed to other web sites in the "Referer:" header. The vulnerabilities have been confirmed in Adobe Document Server for Reader Extensions 6.0 included with Document Server 6.0 (p026) and Graphics Server 2.1 (d013). Other versions may also be affected. SOLUTION: Update to the current version of Adobe Document Server for Reader Extensions. NOTE: Adobe Document Server for Reader Extensions 6.0 is no longer a supported product. Adobe has shipped two subsequent versions (Adobe Document Server for Reader Extensions 6.1 and LiveCycle Reader Extensions 7.0) both of which are not affected. PROVIDED AND/OR DISCOVERED BY: Tan Chew Keong and Carsten Eiram, Secunia Research. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2005-68/ Adobe: http://www.adobe.com/support/techdocs/322699.html http://www.adobe.com/support/techdocs/331915.html http://www.adobe.com/support/techdocs/331917.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------