[<prev] [next>] [day] [month] [year] [list]
Message-ID: <217445447.20020715131331@elcomsoft.com>
From: vkatalov at elcomsoft.com (Vladimir Katalov)
Subject: Vulnerability found: The Adobe eBook Library
Adobe Systems Incorporated (http://www.adobe.com) recently opened
a special web site to demonstrate the new library features of
Adobe Content Server 3.0 (http://www.adobe.com/products/contentserver).
According to Adobe description, "The Adobe eBook Library uses Adobe
Content Server as a secure repository for the eBooks". The library
is located at:
http://librarydemo.adobe.com/library/
There are a few books available -- 5 copies of each. The customer
can borrow any book for a fixed period of time (one or three days);
when one customer gets a book, the counter ("number of books
available") is decreased, and when it reaches zero, this book
becomes not available until at least one other customer will return
it to the library, or loan period will expire. However, there are three
bugs/vulnerabilities there:
1. It is possible to get all available copies of any book --
Adobe Acrobat eBook Reader doesn't check if you have borrowed the
given book already.
2. The loan period (one or three days) is not verified. It is implemented
in the script using the following
<FORM id=form2 name="form2" ACTION="download.asp" METHOD="POST">
<INPUT type=hidden value=133 name=bookid>
<INPUT type=radio CHECKED value=1440 name=loanMin> Borrow for 1 day<BR>
<INPUT type=radio value=4320 name=loanMin> Borrow for 3 days<BR>
...
The value of loanMin is the loan period in minutes (1440 for one
day, and 4320 for three days). It is possible to save the form to
the local disk, change one of the values to the one you need (i.e.
525600 for one year), load the updated form into the browser, and
by pressing the "Add to bookbag" button borrow this book for the
selected ("fake") period.
Note: it is also needed to change (in the local copy of the form)
"download.asp" to the following:
http://librarydemo.adobe.com/library/download.asp
Otherwise, the local form will not work.
3. When the book counter reaches zero, the user can see a note near the
book description:
There are currently none available.
Please check back later.
However, the "Add to bookbag" button is still available and working
just fine, i.e. it is still possible to get another copy (copies) of
the book. And the "Number of Books" counter (on the library page)
becomes negative.
By combining bugs [1] and [2], it is very easy to implement something
like "Denial-of-service" attack for the library: just get all copies of
all books from the library (for very large period of time -- e.g. a few
years). So no books will be available to anybody else.
Besides, there is ability to borrow the books for unlimited time.
--
Sincerely yours,
Vladimir
Vladimir Katalov
Managing Director
ElcomSoft Co.Ltd.
Member of Association of Shareware Professionals (ASP)
Member of Russian Cryptology Association
mailto:vkatalov@...omsoft.com
http://www.elcomsoft.com/adc.html (Advanced Disk Catalog)
http://www.elcomsoft.com/art.html (Advanced Registry Tracer)
http://www.elcomsoft.com/prs.html (Password Recovery Software)
Powered by blists - more mailing lists