OSVDB ID: 23924

Title: Adobe Document/Graphics Server File URI Arbitrary Resource Manipulation

Info

Disclosure

Mar 15, 2006

Discovery

Jul 26, 2005

Dates

Exploit

Unknown

Solution

Unknown

Description

Adobe Document/Graphics Server contain a flaw that may lead to an unauthorized information disclosure, an arbitrary file overwrite, or a compromised system. The issue is caused due to the 'loadContent', 'saveContent', and 'saveOptimized' ADS (Adobe Document Server) commands allowing graphics or PDF files to be retrieved from or saved to arbitrary locations on the server using File URIs via the AlterCast web service. A malicious user can exploit this to run arbitrary commands during user logins resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified

Solution

Currently, there are no known upgrades or patches to correct this issue. However, it is possible to correct the flaw by implementing the additional hardening recommendations published by the vendor as a workaround.

Products

Adobe Systems Incorporated	Document Server	5.0
		6.0 (p026)
	Graphics Server	2.0
		2.1 (d013)

References

Security Tracker: 1015768 1015769
Bugtraq ID: 17113
Secunia Advisory ID: 19229
CVE ID: 2006-1182 (see also: NVD)
ISS X-Force ID: 25247
VUPEN Advisory: ADV-2006-0956
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0826.html
Other Advisory URL: http://secunia.com/secunia_research/2005-28/advisory/
Vendor Specific Advisory URL: http://www.adobe.com/support/techdocs/332989.html

Credit

Tan Chew Keong - vulnsecunia.com - Secunia Research

Direct URL: http://osvdb.org/23924

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Adobe Systems Incorporated

Document Server

Graphics Server

References

Credit