Adobe Reader 7: XML External Entity (XXE) Attack Jun 16 2005 03:08PM
Sverre H. Huseby (shh thathost com) (1 replies)
XML External Entity (XXE) Attack Possible in Adobe Reader 7

SHH #7, 2005-06-16


Recent versions of Adobe Reader (previously known as Acrobat Reader)
are vulnerable to XML External Entity (XXE) Attacks. By including a
JavaScript in a PDF file, and have this JavaScript parse an embedded
XML document with a reference to an external entity, it is possible to
read certain types of textual files on the local computer, and have
them sent to a remote attacker.


The hairy details (the problem description sent to Adobe), including
sample PDFs, are available on a separate web page:


Disable the use of JavaScript in Adobe Reader, or upgrade to a version
not vulnerable to this attack.

Vendor Notification

The Adobe developers were notified on 2005-04-15. They made a fix
available on 2005-06-15.

Affected versions

Confirmed to work in version 7.0 and 7.0.1 on Microsoft Windows,
version 7.0 on GNU/Linux and version 7.0 on Mac OSX.

It is unknown whether the attack works in version 6, which also
supports JavaScript in PDF files.

Fixed versions

Adobe Reader version 7.0.2.
For Adobe's own advisory, see the following URL:


Thanks to Jeremiah Grossman for verifying that the attack also works
on the Mac OSX version of Adobe Reader.

Reported by Sverre H. Huseby

[ reply ]
Re: Adobe Reader 7: XML External Entity (XXE) Attack Jun 17 2005 10:42AM
Slawek (sgp telsatgp com pl)


Privacy Statement
Copyright 2010, SecurityFocus