Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
Acrobat Reader suffers major XSS flaw
Published: 2007-01-04

An ill-conceived feature in the widely used Acrobat Reader renders many websites vulnerable to client Cross Site Scripting. The flaw requires user action but is easily exploited in numerous ways.

The Universal PDF XSS flaw was discovered by Stefano Di Paola and Giorgio Fedon, and uses a feature known as "Open Parameters" in Acrobat Reader to permit Cross Site Scripting with JavaScript injection. Symantec's Hon Lau has written a good blog entry on the issue. And GNUCITIZEN has published an excellent tutorial on using XSS with JavaScript to exploit a vulnerable client, helping the public become more aware of the dangers and ease with which this flaw can be exploited. Social networking websites and all others that use SessionIDs are particularly vulnerable to this attack.

The XSS flaw affects Acrobat Reader 7 and prior versions on both Internet Explorer and Firefox for Windows. Vulnerable users are advised to either disable JavaScript, upgrade to Acrobat Reader 8, or use an alternative PDF reader or plug-in for their browser of choice.

Posted by: Kelly Martin
    Digg this story   Add to  
Comments Mode:
Acrobat Reader suffers major XSS flaw 2007-01-08
Juha-Matti Laurio


Privacy Statement
Copyright 2009, SecurityFocus