Comments on: Universal PDF XSS After Party /blog/universal-pdf-xss-after-party/ Information Security Think Tank Thu, 21 Aug 2008 19:33:22 +0000 http://wordpress.org/?v=2.6.1 By: Universal PDF XSS | Forums Blog /blog/universal-pdf-xss-after-party/#comment-122403 Universal PDF XSS | Forums Blog Sun, 01 Jun 2008 13:40:17 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-122403 [...] in many new creative ways. I will be discussing this issue in my next podcast, till then read up on it here or at [...] [...] in many new creative ways. I will be discussing this issue in my next podcast, till then read up on it here or at [...]

]]> By: DReTeN /blog/universal-pdf-xss-after-party/#comment-85524 DReTeN Wed, 12 Dec 2007 19:13:53 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-85524 you just gotta convince them to get the newest version of Acrobat. That's why there are updates and improved versions, to fix the bugs and vulnerabilities of previous editions. you just gotta convince them to get the newest version of Acrobat. That’s why there are updates and improved versions, to fix the bugs and vulnerabilities of previous editions.

]]> By: Edward /blog/universal-pdf-xss-after-party/#comment-76346 Edward Sat, 24 Nov 2007 10:54:41 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-76346 We allow users to try our software by uploading documents to an application we host. Some of the uploaded documents can be seen and accessed by other users. What kind of measures can we take so that users with older Acrobat versions are not compromised? We allow users to try our software by uploading documents to an application we host. Some of the uploaded documents can be seen and accessed by other users.

What kind of measures can we take so that users with older Acrobat versions are not compromised?

]]> By: alex /blog/universal-pdf-xss-after-party/#comment-14187 alex Thu, 12 Apr 2007 20:07:12 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-14187 hi nice site. hi nice site.

]]> By: Robo de cookies en Myspace « | Seguridad01 | TECNOLOGIAS Y SEGURIDAD INFORMÁTICA /blog/universal-pdf-xss-after-party/#comment-6926 Robo de cookies en Myspace « | Seguridad01 | TECNOLOGIAS Y SEGURIDAD INFORMÁTICA Thu, 15 Mar 2007 15:59:23 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-6926 [...] Robo de cookies en Myspace Sí, y esque ni el santo grial se libra (Universal Google XSS). Ahora le toca a las cookies , XSS y a myspace ¿buena combinación no?. El usuario rMrGvG más conocidos por sus advisors a importantes páginas y CMS. Ha descubierto que es posible robar cookies de usuarios de myspace a traves de ataques XSS y CSS (Cross Site Scripting). [...] [...] Robo de cookies en Myspace Sí, y esque ni el santo grial se libra (Universal Google XSS). Ahora le toca a las cookies , XSS y a myspace ¿buena combinación no?. El usuario rMrGvG más conocidos por sus advisors a importantes páginas y CMS. Ha descubierto que es posible robar cookies de usuarios de myspace a traves de ataques XSS y CSS (Cross Site Scripting). [...]

]]> By: erez /blog/universal-pdf-xss-after-party/#comment-2442 erez Tue, 16 Jan 2007 14:08:47 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-2442 seems to be fixed with the latest 7.0.9 patch... seems to be fixed with the latest 7.0.9 patch…

]]> By: pdp /blog/universal-pdf-xss-after-party/#comment-2252 pdp Fri, 12 Jan 2007 10:51:27 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-2252 thanks Sebastian, that was very helpful thanks Sebastian, that was very helpful

]]> By: Sebastian Wolfgarten /blog/universal-pdf-xss-after-party/#comment-2227 Sebastian Wolfgarten Thu, 11 Jan 2007 17:55:53 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-2227 Okay, some stuff was stripped out from my previous posting...you basically need to wrap a FilesMatch-directive around the aforementioned "Header" settings... Hope that helps! Bye, Seb Okay, some stuff was stripped out from my previous posting…you basically need to wrap a FilesMatch-directive around the aforementioned “Header” settings…

Hope that helps!

Bye,
Seb

]]> By: Sebastian Wolfgarten /blog/universal-pdf-xss-after-party/#comment-2226 Sebastian Wolfgarten Thu, 11 Jan 2007 17:54:45 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-2226 Hi, well one way to prevent people from exploiting your customers is to add the following directive to Apache's httpd.conf: Header unset Content-Disposition Header add Content-Disposition "attachment; filename=document.pdf" This will cause a save/open dialogue to pop up every time a user tries to download a .pdf file. As the "normal" Acrobat is not vulnerable (it's just the plugin), potentially attached malicious code will not be executed. If one wants to keep the original name of the .pdf file untouched, then one could use Apache's environment variables rather than setting it to "filename=document.pdf". Bye, Sebastian Hi,

well one way to prevent people from exploiting your customers is to add the following directive to Apache’s httpd.conf:

Header unset Content-Disposition
Header add Content-Disposition “attachment; filename=document.pdf”

This will cause a save/open dialogue to pop up every time a user tries to download a .pdf file. As the “normal” Acrobat is not vulnerable (it’s just the plugin), potentially attached malicious code will not be executed. If one wants to keep the original name of the .pdf file untouched, then one could use Apache’s environment variables rather than setting it to “filename=document.pdf”.

Bye,
Sebastian

]]> By: matt /blog/universal-pdf-xss-after-party/#comment-2120 matt Tue, 09 Jan 2007 09:54:36 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-2120 Nice Work. Nice Work.

]]> By: marvin /blog/universal-pdf-xss-after-party/#comment-2076 marvin Mon, 08 Jan 2007 09:10:55 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-2076 i tried that link, and it doesn't alert me with xss, but it prompts me to download that pdf file. Im using firefox 1.5.0.9 under ubuntu dapper i tried that link, and it doesn’t alert me with xss, but it prompts me to download that pdf file. Im using firefox 1.5.0.9 under ubuntu dapper

]]> By: fearphage /blog/universal-pdf-xss-after-party/#comment-2056 fearphage Mon, 08 Jan 2007 01:52:05 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-2056 This is already patched in Opera This is already patched in Opera

]]> By: Ingenieros… ¿ lo lograremos ? » Corrigiendo algunos fallos… /blog/universal-pdf-xss-after-party/#comment-2045 Ingenieros… ¿ lo lograremos ? » Corrigiendo algunos fallos… Sun, 07 Jan 2007 21:58:18 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-2045 [...] - Ataque PDF: Todos vulnerables - Ataque PDF (II) : Y en tu ordenador también - Universal PDF XSS After Party Categoría: Sobre el blog | [...] [...] - Ataque PDF: Todos vulnerables - Ataque PDF (II) : Y en tu ordenador también - Universal PDF XSS After Party Categoría: Sobre el blog | [...]

]]> By: MustLive /blog/universal-pdf-xss-after-party/#comment-2044 MustLive Sun, 07 Jan 2007 20:28:39 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-2044 <blockquote>Disable JavaScript or update to Acrobat 8.</blockquote> Or disable Acrobat plugin, or even delete it. For your main browser or for all browsers in the system. There are many suggestions. Guys, as Google tell me, the are up to 317 000 000 sites in the Internet which have pdf files (and they all have this vulnerability). So every admin of every site and every user need to deal with this Universal PDF XSS.

Disable JavaScript or update to Acrobat 8.

Or disable Acrobat plugin, or even delete it. For your main browser or for all browsers in the system. There are many suggestions.

Guys, as Google tell me, the are up to 317 000 000 sites in the Internet which have pdf files (and they all have this vulnerability). So every admin of every site and every user need to deal with this Universal PDF XSS.

]]> By: Mighty Seek - Web Application Security Podcast and Blog » Blog Archive » Universal PDF XSS /blog/universal-pdf-xss-after-party/#comment-2000 Mighty Seek - Web Application Security Podcast and Blog » Blog Archive » Universal PDF XSS Sun, 07 Jan 2007 02:17:03 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-2000 [...] Cross Site scripting attacks are getting even more dangerous these days, and exploitable in many new creative ways. I wil be discussing this issue in my next podcast, till then read up on it here or at ha.ckers.org [...] [...] Cross Site scripting attacks are getting even more dangerous these days, and exploitable in many new creative ways. I wil be discussing this issue in my next podcast, till then read up on it here or at ha.ckers.org [...]

]]> By: MobileRead Networks - Unpatched Adobe Reader users in jeopardy /blog/universal-pdf-xss-after-party/#comment-1992 MobileRead Networks - Unpatched Adobe Reader users in jeopardy Sat, 06 Jan 2007 22:00:24 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-1992 [...] Unpatched Adobe Reader users in jeopardy Stefano Di Paola and Giorgio Fedon uncovered a serious cross-site scripting vulnerability that affects unpatched versions of the Adobe Reader plug-in which is used to view PDF files from within Web browsers. The vulnerability could allow an attacker to run malicious Javascript code on compromised systems. Security researchers advise us to update Adobe to at least V7.0.9 or V8.0. Alternatively, you can disable the Adobe Reader browser plug-in (in Firefox within the Settings / Content / Filetypes menu). Or alternatively, use Foxit Reader instead. Original paper discussing the vulnerability: link (careful, PDF!) Technical explanation of the vulnerability: link [via CNet] [...] [...] Unpatched Adobe Reader users in jeopardy Stefano Di Paola and Giorgio Fedon uncovered a serious cross-site scripting vulnerability that affects unpatched versions of the Adobe Reader plug-in which is used to view PDF files from within Web browsers. The vulnerability could allow an attacker to run malicious Javascript code on compromised systems. Security researchers advise us to update Adobe to at least V7.0.9 or V8.0. Alternatively, you can disable the Adobe Reader browser plug-in (in Firefox within the Settings / Content / Filetypes menu). Or alternatively, use Foxit Reader instead. Original paper discussing the vulnerability: link (careful, PDF!) Technical explanation of the vulnerability: link [via CNet] [...]

]]> By: Jeremy Hannon /blog/universal-pdf-xss-after-party/#comment-1954 Jeremy Hannon Fri, 05 Jan 2007 22:34:59 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-1954 Google may have changed their content-disposition to force the browser to treat it as a download rather than in-line. That appears to mitigate the threat. Google may have changed their content-disposition to force the browser to treat it as a download rather than in-line. That appears to mitigate the threat.

]]> By: Louise /blog/universal-pdf-xss-after-party/#comment-1952 Louise Fri, 05 Jan 2007 22:02:06 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-1952 Everyone, I got http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here to run in FF 1.5.0.7 on windows XP, but the file one did not run in that version Everyone,

I got http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here to run in FF 1.5.0.7 on windows XP, but the file one did not run in that version

]]> By: Joel /blog/universal-pdf-xss-after-party/#comment-1950 Joel Fri, 05 Jan 2007 21:28:46 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-1950 From what I found (http://secunia.com/advisories/23483/) they claim that this can affect both IE and FF depends on the specific version of browser and acrobat. Although the alert did not work for me on FF (up to date 2.0.0.1) this did work. file:///C:/Program%20Files/Adobe/Acrobat%206.0/Help/ENU/Pdfmark.pdf#a=javascript:window.location.href='http://www.google.com'; So my guess is the bug exists just because the plugin takes the window over, we don't get to see that window, however the bug does exist, and can be used. Joel From what I found (http://secunia.com/advisories/23483/) they claim that this can affect both IE and FF depends on the specific version of browser and acrobat.

Although the alert did not work for me on FF (up to date 2.0.0.1) this did work.

file:///C:/Program%20Files/Adobe/Acrobat%206.0/Help/ENU/Pdfmark.pdf#a=javascript:window.location.href=’http://www.google.com’;

So my guess is the bug exists just because the plugin takes the window over, we don’t get to see that window, however the bug does exist, and can be used.

Joel

]]> By: Klir /blog/universal-pdf-xss-after-party/#comment-1939 Klir Fri, 05 Jan 2007 16:34:51 +0000 http://www.gnucitizen.org/blog/universal-pdf-xss-after-party#comment-1939 It’s not occurs on IE 7, IE6 SP2 FF 2.0.2 , 1.5.0.9 on windows XP ... If a user still didn’t understand that he needs to upgrade to the latest patch than maybe he deserve to be hacked… It’s not occurs on IE 7, IE6 SP2 FF 2.0.2 , 1.5.0.9 on windows XP …
If a user still didn’t understand that he needs to upgrade to the latest patch than maybe he deserve to be hacked…

]]>