BugTraq
Universal PDF XSS After Party Jan 04 2007 01:16PM
pdp (architect) (pdp gnucitizen googlemail com) (1 replies)
RE: Universal PDF XSS After Party(posible solution) Jan 04 2007 06:25PM
Noe Espinoza M. (nespinoza grupowissen com)
We need to force to the users do download the pdf files

And we can add to the httpd.conf or .htaccess the next code

SetEnvIf Request_URI "\.pdf$" requested_pdf=pdf
Header add Content-Disposition "Attachment" env=requested_pdf

Other solution is protect our pdf files to external links (hotlinking)

Add in .htacces

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?example\.com[NC]
RewriteRule .*\.(pdf)$ http://www.example.com/images/noexternal.gif [R,NC,L]

Source from
http://seguinfo.blogspot.com/2007/01/hacking-con-browser-plugins.html

-----Mensaje original-----
De: pdp (architect) [mailto:pdp.gnucitizen (at) googlemail (dot) com [email concealed]]
Enviado el: jueves, 04 de enero de 2007 7:17
Para: full-disclosure (at) lists.grok.org (dot) uk [email concealed]; bugtraq (at) securityfocus (dot) com [email concealed]; Web
Security
Asunto: Universal PDF XSS After Party

Everybody knows about it. Everybody talks about it. We had a nice
party. It is time for estimating the damages. In this article I will
try to show the impact of the Universal PDF XSS vulnerability by
explaining how it can be used in real life situations.

http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/

--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus