[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

From: skarvin <skarvin@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Date: Thu, 4 Jan 2007 10:03:37 +0100

------=_Part_4144_32362841.1167901417815
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi all,

Another possible solution is to use the Apache mod_security to filter that
kind of urls.

bye

2007/1/4, pdp (architect) <pdp.gnucitizen@googlemail.com>:
>
> ahhh, fragment identifiers make sense to browsers only. they are not
> send to the server
>
> On 1/4/07, der wert <derwert@hotmail.com> wrote:
> >
> > The best solution I see would be to keep all pdf files in a non-web
> > accessible location on the web server, then have all the pdf files
> outputed
> > through a script such as a php script. In php you can check the what the
> > REQUEST_URI is, if it isn't equal to what you were expecting which would
> > mean extra parameters were taken away or added then you could just have
> the
> > php script not output the pdf file since that would mean someone had
> been
> > tampering with the URI.
> >
> > D
> >
> > ________________________________
> > Get free, personalized online radio with MSN Radio powered by Pandora.
> Try
> > it!
>
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

-- 
Un saludo,

This message was written entirely with recycled electrons.

blog: http://skarvin.blogspot.com
main(){int j=1234;char t[]=":@abcdefghijklmnopqrstuvwxyz.\n",*i=
"iqgbgxmsuspcpdofeqgbnek.";char *strchr(const char *,int);while(
*i){j+=strchr(t,*i++)-t;j%=sizeof t-1;putchar(t[j]);} return 0;}

skarvin

------=_Part_4144_32362841.1167901417815
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi all,<br><br>Another possible solution is to use the Apache mod_security to filter that kind of urls.<br><br>bye<br><br><div><span class="gmail_quote">2007/1/4, pdp (architect) &lt;<a href="mailto:pdp.gnucitizen@googlemail.com";>
pdp.gnucitizen@googlemail.com</a>&gt;:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">ahhh, fragment identifiers make sense to browsers only. they are not
<br>send to the server<br><br>On 1/4/07, der wert &lt;<a href="mailto:derwert@hotmail.com";>derwert@hotmail.com</a>&gt; wrote:<br>&gt;<br>&gt; The best solution I see would be to keep all pdf files in a non-web<br>&gt; accessible location on the web server, then have all the pdf files outputed
<br>&gt; through a script such as a php script. In php you can check the what the<br>&gt; REQUEST_URI is, if it isn&#39;t equal to what you were expecting which would<br>&gt; mean extra parameters were taken away or added then you could just have the
<br>&gt; php script not output the pdf file since that would mean someone had been<br>&gt; tampering with the URI.<br>&gt;<br>&gt; D<br>&gt;<br>&gt; ________________________________<br>&gt; Get free, personalized online radio with MSN Radio powered by Pandora. Try
<br>&gt; it!<br><br><br>--<br>pdp (architect) | petko d. petkov<br><a href="http://www.gnucitizen.org";>http://www.gnucitizen.org</a><br><br>----------------------------------------------------------------------------<br>The Web Security Mailing List:
<br><a href="http://www.webappsec.org/lists/websecurity/";>http://www.webappsec.org/lists/websecurity/</a><br><br>The Web Security Mailing List Archives:<br><a href="http://www.webappsec.org/lists/websecurity/archive/";>http://www.webappsec.org/lists/websecurity/archive/
</a><br><a href="http://www.webappsec.org/rss/websecurity.rss";>http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br><br></blockquote></div><br><br clear="all"><br>-- <br>Un saludo,<br><br>This message was written entirely with recycled electrons.
<br><br>blog: <a href="http://skarvin.blogspot.com";>http://skarvin.blogspot.com</a><br>main(){int j=1234;char t[]=&quot;:@abcdefghijklmnopqrstuvwxyz.\n&quot;,*i=<br>&quot;iqgbgxmsuspcpdofeqgbnek.&quot;;char *strchr(const char *,int);while(
<br>*i){j+=strchr(t,*i++)-t;j%=sizeof t-1;putchar(t[j]);} return 0;}<br><br>skarvin

------=_Part_4144_32362841.1167901417815--

Follow-Ups:
- RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Billy Hoffman

References:
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: der wert
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: pdp (architect)

Prev by Date: [WEB SECURITY] Re: [Full-disclosure] Universal XSS with PDF files: highly dangerous
Next by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Previous by thread: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by thread: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site