[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

From: "pdp (architect)" <pdp.gnucitizen@xxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Date: Thu, 4 Jan 2007 08:09:38 +0000

ahhh, fragment identifiers make sense to browsers only. they are not
send to the server

On 1/4/07, der wert <derwert@xxxxxxxxxxx> wrote:


The best solution I see would be to keep all pdf files in a non-web
accessible location on the web server, then have all the pdf files outputed
through a script such as a php script. In php you can check the what the
REQUEST_URI is, if it isn't equal to what you were expecting which would
mean extra parameters were taken away or added then you could just have the
php script not output the pdf file since that would mean someone had been
tampering with the URI.

________________________________
Get free, personalized online radio with MSN Radio powered by Pandora. Try
it!

--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: skarvin

References:
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: der wert

Prev by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by Date: [WEB SECURITY] RE: [Full-disclosure] Universal XSS with PDF files: highly dangerous
Previous by thread: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by thread: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site