[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

From: "Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Date: Thu, 4 Jan 2007 17:58:54 -0000

I've had a better look at this now, and there seems to be a generic
server side solution through the content-disposition header (at least
for the versions of Firefox and IE which I have tested).  If it is
specified, the default installs of both products always produce a
download dialog and don't open inline.

Sample apache config for mitigation:

<IfModule mod_headers.c>
  <FilesMatch "\.pdf$">
	Header append Content-disposition "attachment;"
  </FilesMatch>
</IfModule>

Martin...

----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Billy Hoffman

Prev by Date: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by Date: [WEB SECURITY] RE: Universal PDF XSS After Party(posible solution)
Previous by thread: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by thread: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site