Adobe Document Server for Reader Extensions 6.0 session ID parameter is exposed

Issue

When using Adobe Document Server for Reader Extensions 6.0, a user's session ID is included in the URL ("jsessionid" parameter) and is exposed to other websites in the "Referer:" header. It is possible that a malicious person might monitor a company's Internet traffic to steal the sessionid directly from the URL. That sessionid could be used by the malicious person to gain a copy of the PDF file that a legitimate user is processing with Reader Extensions.

Solutions

Do one of the following solutions:

Solution 1: Upgrade to Adobe Reader Extensions Server 6.1 or Adobe LiveCycle Reader Extensions 7.0.

To prevent this issue from occurring, upgrade to either Adobe Reader Extensions Server 6.1 or Adobe LiveCycle Reader Extensions 7.0. For upgrade information, visit the Adobe website at www.adobe.com/support/products/enterprise/ .

Solution 2: Close the Adobe Document Server for Reader Extensions web interface.

When using the Adobe Document Server for Reader Extensions 6.0 web based interface, users should always close the Adobe Document Server for Reader Extensions 6.0 page before visiting any other website.

Background information

Adobe Reader Extensions Server 6.1 and LiveCycle Reader Extensions 7.0 use cookies to transmit the session ID parameter instead of using a sessionid in the URL. These versions also support SSL for encrypting the file data being uploaded and downloaded. Both of these changes prevent the problem described in this document.

Related Documents