Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

[der wert <derwert@xxxxxxxxxxx>]

--_32adc953-4ebc-4198-b955-f3f1d8965988_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

The best solution I see would be to keep all pdf files in a non-web accessi=
ble location on the web server, then have all the pdf files outputed throug=
h a script such as a php script. In php you can check the what the REQUEST_=
URI is, if it isn't equal to what you were expecting which would mean extra=
 parameters were taken away or added then you could just have the php scrip=
t not output the pdf file since that would mean someone had been tampering =
with the URI.D
_________________________________________________________________
Type your favorite song.=A0 Get a customized station.=A0 Try MSN Radio powe=
red by Pandora.
http://radio.msn.com=

--_32adc953-4ebc-4198-b955-f3f1d8965988_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style>
P
{
margin:0px;
padding:0px
}
body
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body><div style=3D"text-align: left;">The best solution I see would be to =
keep all pdf files in a non-web accessible location on the web server, then=
 have all the pdf files outputed through a script such as a php script. In =
php you can check the what the REQUEST_URI is, if it isn't equal to what yo=
u were expecting which would mean extra parameters were taken away or added=
 then you could just have the php script not output the pdf file since that=
 would mean someone had been tampering with the URI.<br><br>D<br></div><br =
/><hr />Get free, personalized online radio with MSN Radio powered by Pando=
ra. <a href=3D'http://radio.msn.com' target=3D'_new'>Try it!</a></body>
</html>=

--_32adc953-4ebc-4198-b955-f3f1d8965988_--