Full Disclosure mailing list archives
Re: Universal PDF XSS After Party(posible solution)
From: "Darren Bounds" <dbounds () gmail com>
Date: Thu, 4 Jan 2007 13:45:18 -0500
If I recall correctly from the Content-Disposition HTML attachment handling vulnerabilities last year, Opera didn't reliably abide by the Content-Disposition header. Additionally, Content-Disposition support in IE, Firefox, Opera, Safari and a few others was extremely inconsistent from version to version. -- Thank you, Darren Bounds On 1/4/07, Noe Espinoza M. <nespinoza () grupowissen com> wrote:
We need to force to the users do download the pdf files And we can add to the httpd.conf or .htaccess the next code SetEnvIf Request_URI "\.pdf$" requested_pdf=pdf Header add Content-Disposition "Attachment" env=requested_pdf Other solution is protect our pdf files to external links (hotlinking) Add in .htacces RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?example\.com[NC] RewriteRule .*\.(pdf)$ http://www.example.com/images/noexternal.gif [R,NC,L] Source from http://seguinfo.blogspot.com/2007/01/hacking-con-browser-plugins.html -----Mensaje original----- De: pdp (architect) [mailto:pdp.gnucitizen () googlemail com] Enviado el: jueves, 04 de enero de 2007 7:17 Para: full-disclosure () lists grok org uk; bugtraq () securityfocus com; Web Security Asunto: Universal PDF XSS After Party Everybody knows about it. Everybody talks about it. We had a nice party. It is time for estimating the damages. In this article I will try to show the impact of the Universal PDF XSS vulnerability by explaining how it can be used in real life situations. http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Universal PDF XSS After Party pdp (architect) (Jan 04)
- Re: Universal PDF XSS After Party T Biehn (Jan 04)
- Re: Universal PDF XSS After Party T Biehn (Jan 04)
- Re: Universal PDF XSS After Party(posible solution) Noe Espinoza M. (Jan 04)
- Re: Universal PDF XSS After Party(posible solution) Darren Bounds (Jan 04)
- Re: [WEB SECURITY] RE: Universal PDF XSS After Party(posible solution) RSnake (Jan 04)
- Re: Universal PDF XSS After Party T Biehn (Jan 04)