BugTraq
Adobe Reader 7: XML External Entity (XXE) Attack Jun 16 2005 03:08PM
Sverre H. Huseby (shh thathost com) (1 replies)
XML External Entity (XXE) Attack Possible in Adobe Reader 7
-----------------------------------------------------------

SHH #7, 2005-06-16

Description
-----------

Recent versions of Adobe Reader (previously known as Acrobat Reader)
are vulnerable to XML External Entity (XXE) Attacks. By including a
JavaScript in a PDF file, and have this JavaScript parse an embedded
XML document with a reference to an external entity, it is possible to
read certain types of textual files on the local computer, and have
them sent to a remote attacker.

Details
-------

The hairy details (the problem description sent to Adobe), including
sample PDFs, are available on a separate web page:
http://shh.thathost.com/secadv/adobexxe/

Solution
--------

Disable the use of JavaScript in Adobe Reader, or upgrade to a version
not vulnerable to this attack.

Vendor Notification
-------------------

The Adobe developers were notified on 2005-04-15. They made a fix
available on 2005-06-15.

Affected versions
-----------------

Confirmed to work in version 7.0 and 7.0.1 on Microsoft Windows,
version 7.0 on GNU/Linux and version 7.0 on Mac OSX.

It is unknown whether the attack works in version 6, which also
supports JavaScript in PDF files.

Fixed versions
--------------

Adobe Reader version 7.0.2.
For Adobe's own advisory, see the following URL:
http://www.adobe.com/support/techdocs/331710.html

Credits
-------

Thanks to Jeremiah Grossman for verifying that the attack also works
on the Mac OSX version of Adobe Reader.

----------------------------
Reported by Sverre H. Huseby

[ reply ]
Re: Adobe Reader 7: XML External Entity (XXE) Attack Jun 17 2005 10:42AM
Slawek (sgp telsatgp com pl)


 

Privacy Statement
Copyright 2010, SecurityFocus