WebApp Sec mailing list archives
RE: Universal PDF XSS Remediation (Fix)
From: "Cyrill Brunschwiler" <cyrill.brunschwiler () csnc ch>
Date: Wed, 14 Feb 2007 07:11:42 +0100
Pdp, I agree, it's a client issue and to fix it entirely one has to update Acrobat.
pdp wrote: IMHO, you misunderstand the impact of this vulnerability. You are assuming that the user clicks on a pdf link which executes the malicious JavaScript. That's not always the case. I've seen various solutions to this issue and none of them work. The best thing to do is to upgrade to Reader 7.9 or 8. Even when you try to do some crazy redirection-token-magic :), it is up to the client to decide how that is going to be processed. In several simple steps the remote PDF file can be cached and recalled via <object data="http://[path to file]"></object> this also bypasses the content-disposition fix plus several other fixes.
Did you allready discribe that behavior anywhere, i'd really like to know bit more about the "several simple steps".
As I said, the best thing to do is to upgrade. Use JavaScript to check the version of the PDF plugin and if it is less then 7.9 prompt the user. This is it.
As we all know, it relies on the user whether he/she's going to definitely patch his/her software. Nonetheless, I would be interested in that JavaScript. Thanks, Cyrill ------------------------------------------------------------------------- Sponsored by: Watchfire As web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fH6 --------------------------------------------------------------------------
Current thread:
- Universal PDF XSS Remediation (Fix) Cyrill Brunschwiler (Feb 12)
- Re: Universal PDF XSS Remediation (Fix) Amit Klein (Feb 13)
- RE: Universal PDF XSS Remediation (Fix) Cyrill Brunschwiler (Feb 14)
- Re: Universal PDF XSS Remediation (Fix) Amit Klein (Feb 14)
- Re: Universal PDF XSS Remediation (Fix) Amit Klein (Feb 15)
- Re: Universal PDF XSS Remediation (Fix) Tim Brown (Feb 20)
- RE: Universal PDF XSS Remediation (Fix) Cyrill Brunschwiler (Feb 14)
- Re: Universal PDF XSS Remediation (Fix) Amit Klein (Feb 13)
- Re: Universal PDF XSS Remediation (Fix) Ivan Ristic (Feb 13)
- Message not available
- RE: Universal PDF XSS Remediation (Fix) Cyrill Brunschwiler (Feb 14)