[cwe-lug] any application that serves PDF files is likely to be vulnerable to XSS attacks

Wed, 10 Jan 2007 19:35:47 -0800 

Hi everyone,
  This just came into my email and claims a security issue with Firefox  and 
other browser combinations but not IE7.  Has anyone heard  about this?
  Thanks
  Rick
  Hi,
         
       I wanted to give everyone all a heads-up on a very serious  new 
application security vulnerability that probably affects you.   Basically, any 
application that serves PDF files is likely to be vulnerable to  XSS attacks.
         
       Attackers simply have to add an anchor containing a script,  e.g. add 
#blah=javascript:alert(document.cookie); to ANY URL that ends in .pdf  (or 
streams a PDF). The browser hands off the anchor to the Adobe reader  plugin, 
and the script then runs in the victim’s browser.
         
       You can find more information here: 
http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/
         
       You can protect yourself by upgrading your browser and Adobe  Reader. 
There are many vulnerable browser/plugin combinations in use, including  
Firefox. However, IE7 and IE6 SP2 do not appear vulnerable.
         
       Protecting the users of your application from attack is more  difficult. 
 This problem is entirely in the browser and the Adobe reader.  The anchor is 
not even passed from the browser to the web application, so  there’s really not 
much you can do in your code to detect an attack. You  could stop serving PDF 
documents or move them to a different server, but  that’s not realistic for 
many organizations.
         
       --Jeff
        
       Jeff Williams, Chair
       The OWASP Foundation
       "Dedicated to finding and fighting the causes of  insecure software"
  


              Frederick J Eccher Jr 
MBA 
M.S. Management of Information Systems 
A.B. Psychology 
B.A. Biology 
CIO, Community Partners 
President, Board of Directors, Saint Louis Visual Basic Users Group
  Vice President, Board of Directors, Saint Louis Web Developers
  [EMAIL PROTECTED]
  [EMAIL PROTECTED]


  314-865-1606 [home] 
314-369-3986 [cell] <==Reported stolen 20 Feb 2006, probably stolen on 10 Feb 
2006






 
---------------------------------
Have a burning question? Go to Yahoo! Answers and get answers from real people 
who know.
 
_______________________________________________
CWE-LUG mailing list
[email protected]
http://www.cwelug.org/
http://www.cwelug.org/archives/
http://www.cwelug.org/mailinglist/

Reply via email to