Bugtraq mailing list archives
Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
From: "pdp (architect)" <pdp.gnucitizen () googlemail com>
Date: Thu, 4 Jan 2007 08:09:38 +0000
ahhh, fragment identifiers make sense to browsers only. they are not send to the server On 1/4/07, der wert <derwert () hotmail com> wrote:
The best solution I see would be to keep all pdf files in a non-web accessible location on the web server, then have all the pdf files outputed through a script such as a php script. In php you can check the what the REQUEST_URI is, if it isn't equal to what you were expecting which would mean extra parameters were taken away or added then you could just have the php script not output the pdf file since that would mean someone had been tampering with the URI. D ________________________________ Get free, personalized online radio with MSN Radio powered by Pandora. Try it!
-- pdp (architect) | petko d. petkov http://www.gnucitizen.org
Current thread:
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous pdp (architect) (Jan 04)
- <Possible follow-ups>
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Rude Yak (Jan 04)
- RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous RSnake (Jan 04)
- RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Martin O'Neal (Jan 04)
- Re: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous rudeyak (Jan 04)
- RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Martin O'Neal (Jan 08)
- Re: Re: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous rudeyak (Jan 08)
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous pdp (architect) (Jan 08)
- RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Tom Stripling (Jan 09)