Last night I came up with a proof of concept to exploit this locally: http://ha.ckers.org/blog/20070103/pdf-xss-can-compromise-your-machine/
If you have Adobe 7.0 installed there is a at least one standard PDF installed on the local drive. Ouch. -RSnake http://ha.ckers.org/ http://sla.ckers.org/ http://ha.ckers.org/fierce/ On Thu, 4 Jan 2007, Larry Seltzer wrote: >>> "According to public reports, this vulnerability is addressed in Adobe > Acrobat Reader 8.0." > > I've actually tested it. On Reader 8 Acrobat you get a messagebox that > says "This operation is not allowed" > > Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blog.eweek.com/blogs/larry%5Fseltzer/ > Contributing Editor, PC Magazine > [EMAIL PROTECTED] > > ---------------------------------------------------------------------------- > The Web Security Mailing List: > http://www.webappsec.org/lists/websecurity/ > > The Web Security Mailing List Archives: > http://www.webappsec.org/lists/websecurity/archive/ > http://www.webappsec.org/rss/websecurity.rss [RSS Feed] > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
