Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Universal PDF XSS After Party(posible solution)

From: "Noe Espinoza M." <nespinoza () grupowissen com>
Date: Thu, 4 Jan 2007 12:25:46 -0600
We need to force to the users do download  the pdf files

And we can add to the httpd.conf or .htaccess the next code

SetEnvIf Request_URI "\.pdf$" requested_pdf=pdf
Header add Content-Disposition "Attachment" env=requested_pdf


Other solution is protect our pdf files to external links (hotlinking)

Add in .htacces

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?example\.com[NC]
RewriteRule .*\.(pdf)$ http://www.example.com/images/noexternal.gif [R,NC,L]


Source from
http://seguinfo.blogspot.com/2007/01/hacking-con-browser-plugins.html



-----Mensaje original-----
De: pdp (architect) [mailto:pdp.gnucitizen () googlemail com] 
Enviado el: jueves, 04 de enero de 2007 7:17
Para: full-disclosure () lists grok org uk; bugtraq () securityfocus com; Web
Security
Asunto: Universal PDF XSS After Party

Everybody knows about it. Everybody talks about it. We had a nice
party. It is time for estimating the damages. In this article I will
try to show the impact of the Universal PDF XSS vulnerability by
explaining how it can be used in real life situations.

http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/

-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: