Comments on: DANGER, DANGER, DANGER

By: SneakyWho_am_i

SneakyWho_am_i — Fri, 29 Aug 2008 17:17:28 +0000

At the time it would have meant that probably thousands of customers at my particular bank using IE6 and Firefox 2 were affected. While the number of vulnerable clients should be significantly lower now, I would still avoid offering PDFs in the vulnerable configuration at least until IE6 goes byebye, if it ever does. I think that a place like a bank simply could not afford to let even one or two customers log in affected by a bug of this magnitude, per year. Granted, banks probably have unique IDs on all their forms and yada yada yada… But every exploit you allow is a piece of the puzzle for a nice combined exploit that crumbles your bones to dust in the advent of Murphy’s Law. You can’t win forever et cetera et cetera….

By: XSS/Phising with PDF » JJHalans » halans.com

XSS/Phising with PDF » JJHalans » halans.com — Sun, 10 Aug 2008 03:51:30 +0000

[...] more at SecurityFocus (maillist thread) or GNUCitizen here and a follow up [...]

By: J@Â§Â¤Ã±’s Stack Trace » Blog Archive » Loal Cross-Site Scripting

Mon, 26 Feb 2007 03:14:15 +0000

[...] Â I don’t like the term Cross-Site Scripting.Â We’re in need of better terminology for the kind of attacks were seeing against Acrobat reader and Google Dessktop.Â Â I think Amit Klein did a good job point out the terminology problem.Â Â But I’m not happy with any of the suggested terms I’ve heard.Â Â [...]

By: J@Â§Â¤Ã±’s Stack Trace » Blog Archive » XSS in virtually every web site

Thu, 15 Feb 2007 23:02:06 +0000

[...] http://www.gnucitizen.org/blog.....er-danger/ [...]

By: MustLive

MustLive — Sun, 14 Jan 2007 17:25:58 +0000

This is very widespread vulnerability. I have already written my own article about UXSS (in Ukrainian).

And you may look at this example of such hole at microsoft’s site :-).

http://www.microsoft.com/windo.....('XSS‘)

By: gnugpl

gnugpl — Sun, 14 Jan 2007 11:06:18 +0000

I cannot reproduce the problem with xpdf and firefox on debian.

By: pdp

pdp — Fri, 12 Jan 2007 10:52:44 +0000

RDP, that’s interesting. Anyone getting similar results?

By: RDP

RDP — Fri, 12 Jan 2007 03:58:34 +0000

Using XP SP2,
FF 1.5.0.9,
PDF Downloader 0.7.6 and .8,
and AR 7.0.8 and now AR7.0.9 –

Uh… no change. The CIA link above still pops the XSS windows with 7.0.9 (even after rebooting)

Moving on to 8

By: MustLive

MustLive — Sun, 07 Jan 2007 20:21:10 +0000

It is realy danger and widespread vulnerability, boys.

The are up to 317 000 000 sites over the Web which have pdf files (as Google said). And every admin of every site need to deal with this Universal PDF XSS.

By: GNUCITIZEN » XSS Prelude

GNUCITIZEN » XSS Prelude — Sat, 06 Jan 2007 18:02:25 +0000

[...] September was also the month of WEB media related XSS issue. Vulnerabilities in QuickTime .mov, .qtl and Adobe .pdf were found. In January 2007 a Universal Cross-site Scripting (UXSS) hole was undiscloused in Adobe PDF documents. This vulnerability is considered the worst XSS ever seen. [...]

By: MustLive

MustLive — Sat, 06 Jan 2007 15:47:40 +0000

BTW, on Window PRO SP 2, only FF is vulnerable.

Not just FF, but also Mozilla which I use (Mozilla 1.7.7) also have this issue.

On Win XP Pro SP2 (and most probably XP HE also as previous Windows XP, such as Gold and SP1).

Just need Acrobat plugin installed in your browser.

By: Rod Trent at myITforum.com : Adobe responds to being blasted in the media about not patching vulnerability

Sat, 06 Jan 2007 14:10:50 +0000

[...] “Actually, security updaters for older versions of Adobe Reader (for those running old OS, or on intranets where individuals cannot upgrade versions) were already far along in development. The commercial press coverage arrived before the patches themselves were published, but after word of these patches was published:http://www.gnucitizen.org/blog.....er-danger/ (see Leonard Rosenthol comment)The Adobe Security Advisory on the subject advises that those additional old-version updaters are expected online next week:http://www.adobe.com/support/s.....l(I'd recommend using the current version if your situation doesn’t prohibit doing so… faster, more abilities, more fun to use too.)jd/adobe” Published Saturday, January 06, 2007 10:10 AM by rtrent Filed under Software [...]

By: The Daily Tech Connection » Blog Archives » When JavaScript Attacks!

The Daily Tech Connection » Blog Archives » When JavaScript Attacks! — Sat, 06 Jan 2007 07:22:27 +0000

[...] Benign POC (Proof of Concept): GNUCitizen [...]

By: Dixie Scott

Dixie Scott — Fri, 05 Jan 2007 20:50:30 +0000

I have Windows 2000 Professional, IE6, Acrobat Reader 4.0. Does this affect me? I have my bank online and pay bills online with my checking acct. Am a student online also. Should I delete it? Cannot get higher version with win2k.

By: Kent Brewster

Kent Brewster — Fri, 05 Jan 2007 16:54:14 +0000

To help mitigate this problem at the server end, the following Apache URL rewrite rules:

RewriteCond %{HTTP_HOST} ^.*yourdomain\.com$ [NC]
RewriteRule ^(.*\.pdf)$ http://%{SERVER_ADDR}$1 [NC,R]

... should redirect requests for PDFs hosted here:

yourdomain.com/yourdir/your.pdf

... to here: youripaddress/yourdir/your.pdf Since you're probably setting cookies on your domain and not your IP address, most XSS approaches should hit a wall.

By: Ankit Singla

Ankit Singla — Fri, 05 Jan 2007 16:06:06 +0000

Running FFx 2 and Reader 8, I got an alert that said “This operation is not allowed” and then the adobe pdf file opened correctly using the second link. The first link doesn’t tell the browser it’s a pdf so it didn’t open using the plugin.

By: James Pulver

James Pulver — Fri, 05 Jan 2007 15:51:27 +0000

Still no popup in Opera 9.10. Got it in FF2.0.0.1.

By: pdp

pdp — Fri, 05 Jan 2007 14:40:17 +0000

this is because Google fixed it by adding the following header to the response:

Content-disposition: attachement filename=filename_of_the_document.pdf

try

http://www.foia.cia.gov/2020/2020.pdf#something=javascript:alert('xss');

By: James Pulver

James Pulver — Fri, 05 Jan 2007 14:29:57 +0000

I can’t get this to work in FF 2.0.0.1 with Acrobat Reader 7.0.5 or in Opera 9.10 …
Does this only work if you use the plugin?

I have both set to open in Acrobat Reader, so I get a download box, and then Acrobat Reader opens up…

By: En nog iets.nl » Blog Archive » PDF - En wat Javascript

En nog iets.nl » Blog Archive » PDF - En wat Javascript — Fri, 05 Jan 2007 08:38:11 +0000

[...] Op gnucitizen.org is te lezen dat het tÃ© makkelijk is om links naar PDF bestanden te maken, met daarbij een lading ‘malicious’ javascript. Dit mede mogelijk gemaakt door de zogenaamde “Acrobatâ€™s open parameter features“. [...]