If I recall correctly from the Content-Disposition HTML attachment
handling vulnerabilities last year, Opera didn't reliably abide by the
Content-Disposition header.
Additionally, Content-Disposition support in IE, Firefox, Opera,
Safari and a few others was extremely inconsistent from version to
version.
--
Thank you,
Darren Bounds
On 1/4/07, Noe Espinoza M. <nespinoza (at) grupowissen (dot) com [email concealed]> wrote:
> We need to force to the users do download the pdf files
>
> And we can add to the httpd.conf or .htaccess the next code
>
> SetEnvIf Request_URI "\.pdf$" requested_pdf=pdf
> Header add Content-Disposition "Attachment" env=requested_pdf
>
>
> Other solution is protect our pdf files to external links (hotlinking)
>
> Add in .htacces
>
> RewriteEngine on
> RewriteCond %{HTTP_REFERER} !^$
> RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?example\.com[NC]
> RewriteRule .*\.(pdf)$ http://www.example.com/images/noexternal.gif [R,NC,L]
>
>
> Source from
> http://seguinfo.blogspot.com/2007/01/hacking-con-browser-plugins.html
>
>
>
> -----Mensaje original-----
> De: pdp (architect) [mailto:pdp.gnucitizen (at) googlemail (dot) com [email concealed]]
> Enviado el: jueves, 04 de enero de 2007 7:17
> Para: full-disclosure (at) lists.grok.org (dot) uk [email concealed]; bugtraq (at) securityfocus (dot) com [email concealed]; Web
> Security
> Asunto: Universal PDF XSS After Party
>
> Everybody knows about it. Everybody talks about it. We had a nice
> party. It is time for estimating the damages. In this article I will
> try to show the impact of the Universal PDF XSS vulnerability by
> explaining how it can be used in real life situations.
>
> http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
handling vulnerabilities last year, Opera didn't reliably abide by the
Content-Disposition header.
Additionally, Content-Disposition support in IE, Firefox, Opera,
Safari and a few others was extremely inconsistent from version to
version.
--
Thank you,
Darren Bounds
On 1/4/07, Noe Espinoza M. <nespinoza (at) grupowissen (dot) com [email concealed]> wrote:
> We need to force to the users do download the pdf files
>
> And we can add to the httpd.conf or .htaccess the next code
>
> SetEnvIf Request_URI "\.pdf$" requested_pdf=pdf
> Header add Content-Disposition "Attachment" env=requested_pdf
>
>
> Other solution is protect our pdf files to external links (hotlinking)
>
> Add in .htacces
>
> RewriteEngine on
> RewriteCond %{HTTP_REFERER} !^$
> RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?example\.com[NC]
> RewriteRule .*\.(pdf)$ http://www.example.com/images/noexternal.gif [R,NC,L]
>
>
> Source from
> http://seguinfo.blogspot.com/2007/01/hacking-con-browser-plugins.html
>
>
>
> -----Mensaje original-----
> De: pdp (architect) [mailto:pdp.gnucitizen (at) googlemail (dot) com [email concealed]]
> Enviado el: jueves, 04 de enero de 2007 7:17
> Para: full-disclosure (at) lists.grok.org (dot) uk [email concealed]; bugtraq (at) securityfocus (dot) com [email concealed]; Web
> Security
> Asunto: Universal PDF XSS After Party
>
> Everybody knows about it. Everybody talks about it. We had a nice
> party. It is time for estimating the damages. In this article I will
> try to show the impact of the Universal PDF XSS vulnerability by
> explaining how it can be used in real life situations.
>
> http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
[ reply ]