[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
- From: "Prasad Shenoy" <prasad.shenoy@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
- Date: Wed, 3 Jan 2007 11:35:41 -0500
------=_Part_123406_18359162.1167842141952
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
It works with IE 6 SP 2 for versions of Acro Reader older than 8.0
Thanks.
On 1/3/07, Richard Moore <rich@westpoint.ltd.uk> wrote:
>
>
> Amit Klein wrote:
> > pdp (architect) wrote:
> >
> >> I will be very quick and just point to links where you can read about
> >> this issue.
> >>
> >> It seams that PDF documents can execute JavaScript code for no
> >> apparent reason by using the following template:
> >>
> >>
> >>
> http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here
>
> Works on:
>
> Firefox 2.0.0.1 win32
> Firefox 1.5.0.8 win32
> Opera 8.5.4 build 770 win32
> Opera 9.10.8679 win32
>
> But doesn't work here on IE6 or IE7.
>
> Cheers
>
> Rich.
> --
> Richard Moore, Principal Software Engineer,
> Westpoint Ltd,
> Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
> Tel: +44 161 237 1028
> Fax: +44 161 237 1031
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
--
Prasad
------=_Part_123406_18359162.1167842141952
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
It works with IE 6 SP 2 for versions of Acro Reader older than 8.0<br><br>Thanks.<br><br><div><span class="gmail_quote">On 1/3/07, <b class="gmail_sendername">Richard Moore</b> <<a href="mailto:rich@westpoint.ltd.uk";>rich@westpoint.ltd.uk
</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>Amit Klein wrote:<br>> pdp (architect) wrote:<br>><br>>> I will be very quick and just point to links where you can read about
<br>>> this issue.<br>>><br>>> It seams that PDF documents can execute JavaScript code for no<br>>> apparent reason by using the following template:<br>>><br>>><br>>> <a href="http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here";>
http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here</a><br><br>Works on:<br><br>Firefox <a href="http://2.0.0.1";>2.0.0.1</a> win32<br>Firefox <a href="http://1.5.0.8";>1.5.0.8</a> win32<br>Opera 8.5.4
build 770 win32<br>Opera 9.10.8679 win32<br><br>But doesn't work here on IE6 or IE7.<br><br>Cheers<br><br>Rich.<br>--<br>Richard Moore, Principal Software Engineer,<br>Westpoint Ltd,<br>Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
<br>Tel: +44 161 237 1028<br>Fax: +44 161 237 1031<br><br>----------------------------------------------------------------------------<br>The Web Security Mailing List:<br><a href="http://www.webappsec.org/lists/websecurity/";>
http://www.webappsec.org/lists/websecurity/</a><br><br>The Web Security Mailing List Archives:<br><a href="http://www.webappsec.org/lists/websecurity/archive/";>http://www.webappsec.org/lists/websecurity/archive/</a><br><a href="http://www.webappsec.org/rss/websecurity.rss";>
http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br><br></blockquote></div><br><br clear="all"><br>-- <br>Prasad<br>
------=_Part_123406_18359162.1167842141952--
Brought to you by http://www.webappsec.org
Search this site
|