funsec mailing list archives
Re: IE/PDF combo bug?
From: Peter Kosinar <goober () nuf ksp sk>
Date: Wed, 25 Nov 2009 21:19:01 +0100 (CET)
Summing it up, it seems to look like this: 1) Open a *local* file in IE. 2) Use some nice software for "printing into PDF" (like CuteWriter) to print it into PDF. 3) Check the resulting PDF's "Document Properties". The title of the document will contain the full path to the local file you had open in IE. That's it. It seems that if, instead of opening a local file in step 1, you opened a remote one (like, a page on some site), the title of the document would correspond to the title of the webpage (i.e. it will not contain the URL of the page, but rather its proper title)... which seems somewhat inconsistent. Unlike IE, some other browsers seem to provide the title of the document consistently for both local and remote files, thus not revealing anything [*] about you. Naturally, the whole issue is irrelevant if the software used in step 2 ignores the "title" provided by IE (which some of such software actually does). Personally, I see this as somewhat counter-intuitive behaviour, but nothing of the gaping-security-hole kind. :-) Peter [*] Not completely true -- at least one PDF-writer includes your username in the document ;-) But no, this is not the end of the world either. -- [Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- IE/PDF combo bug? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 25)
- Re: IE/PDF combo bug? Peter Kosinar (Nov 25)