Adobe Document Server for Reader Extensions contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when accessing other sites as a user's session ID for ads-readerext is passed via the 'jsessionid' variable in the URL of the 'Referer' header.

Upgrade to version 6.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Secunia Advisory ID: 15924
• Bugtraq ID: 17500
• CVE ID: 2006-1787 (see also: NVD)
• Related OSVDB ID: 24587 24588 24589 24590 24591
• VUPEN Advisory: ADV-2006-1342 [ Link is 404 ]
• Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0256.html
• Other Advisory URL: http://secunia.com/secunia_research/2005-68/advisory/
• Vendor URL: http://www.adobe.com/products/server/readerextensions/main.html

• Tan Chew Keong - Secunia Research
• Carsten Eiram - Secunia Research