[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
- From: "Ory Segal" <osegal@xxxxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
- Date: Thu, 4 Jan 2007 22:40:06 +0200
------_=_NextPart_001_01C73040.883CFE00
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Hi Skarvin,
=20
When you click on a link that contains a fragment in it, the browser
does not send that part (everything after the # symbol - including the
symbol itself), to the server. For example:
=20
http://www.some.site/page.html#abc , when clicked, will send the
following request:
=20
GET /page.html HTTP/1.0
Host: www.some.site
...
=20
So any server side filtering of '#' won't work.
=20
-Ory Segal
www.watchfire.com
=20
=20
=20
________________________________
From: skarvin [mailto:skarvin@gmail.com]=20
Sent: Thursday, January 04, 2007 10:07 PM
To: Billy Hoffman
Cc: bugtraq@securityfocus.com; websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly
dangerous
Hello Billy,
If I write a rule that filters all url with this character --> # in it's
content I think that the problem is solved, but is my opinion.
Best regards.
2007/1/4, Billy Hoffman <Billy.Hoffman@spidynamics.com>:=20
You cannot filter this URLs, because a URL fragment denotes
something inside of a resource. The server doesn't care what the
fragment it. The HTTP request sent when you click on a URL with a
fragment doesn't contain the fragment at all. This means a site cannot
even implement a web application firewall or IDS rule to not serve a
PDF. They can't tell the different between a PDF requested for
legitimate reasons or a PDF requested as part of an attack.
=20
Short of removing all PDF's from a website, that site cannot
ensure they are acting as an accomplice to exploit a user.
=20
Fun times,
Billy Hoffman
--
Lead Researcher, SPI Labs
SPI Dynamics Inc. - http://www.spidynamics.com
<http://www.spidynamics.com/>=20
Phone: 678-781-4800
Direct: 678-781-4845=20
=09
________________________________
From: skarvin [mailto:skarvin@gmail.com]=20
Sent: Thursday, January 04, 2007 4:04 AM
To: bugtraq@securityfocus.com; websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly
dangerous
=20
Hi all,
=09
Another possible solution is to use the Apache mod_security to
filter that kind of urls.
=09
bye
2007/1/4, pdp (architect) < pdp.gnucitizen@googlemail.com
<mailto:pdp.gnucitizen@googlemail.com> >:
ahhh, fragment identifiers make sense to browsers only. they are
not=20
send to the server
=09
On 1/4/07, der wert <derwert@hotmail.com> wrote:
>
> The best solution I see would be to keep all pdf files in a
non-web
> accessible location on the web server, then have all the pdf
files outputed=20
> through a script such as a php script. In php you can check
the what the
> REQUEST_URI is, if it isn't equal to what you were expecting
which would
> mean extra parameters were taken away or added then you could
just have the=20
> php script not output the pdf file since that would mean
someone had been
> tampering with the URI.
>
> D
>
> ________________________________
> Get free, personalized online radio with MSN Radio powered by
Pandora. Try=20
> it!
=09
=09
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
=09
=09
------------------------------------------------------------------------
----
The Web Security Mailing List:=20
http://www.webappsec.org/lists/websecurity/
=09
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/=20
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
=09
=09
=09
--=20
Un saludo,
=09
This message was written entirely with recycled electrons.=20
=09
blog: http://skarvin.blogspot.com
main(){int j=3D1234;char t[]=3D":@abcdefghijklmnopqrstuvwxyz.\n",*i=3D
"iqgbgxmsuspcpdofeqgbnek.";char *strchr(const char *,int);while(
*i){j+=3Dstrchr(t,*i++)-t;j%=3Dsizeof t-1;putchar(t[j]);} return 0;}
=09
skarvin=20
--=20
Un saludo,
This message was written entirely with recycled electrons.
blog: http://skarvin.blogspot.com
main(){int j=3D1234;char t[]=3D":@abcdefghijklmnopqrstuvwxyz.\n",*i=3D=20
"iqgbgxmsuspcpdofeqgbnek.";char *strchr(const char *,int);while(
*i){j+=3Dstrchr(t,*i++)-t;j%=3Dsizeof t-1;putchar(t[j]);} return 0;}
skarvin=20
------_=_NextPart_001_01C73040.883CFE00
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2900.2180" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D015323720-04012007>Hi=20
Skarvin,</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D015323720-04012007></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D015323720-04012007>When=20
you click on a link that contains a fragment in it, the browser does not =
send=20
that part (everything after the # symbol - including the symbol itself), =
to the=20
server. For example:</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D015323720-04012007></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D015323720-04012007><A=20
href=3D"http://www.some.site/page.html#abc";>http://www.some.site/page.htm=
l#abc</A> ,=20
when clicked, will send the following request:</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D015323720-04012007></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D015323720-04012007>GET=20
/page.html HTTP/1.0</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D015323720-04012007>Host:=20
<A href=3D"http://www.some.site";>www.some.site</A></SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D015323720-04012007>...</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D015323720-04012007></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D015323720-04012007>So any=20
server side filtering of '#' won't work.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D015323720-04012007></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D015323720-04012007>-Ory=20
Segal</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D015323720-04012007><A=20
href=3D"http://www.watchfire.com";>www.watchfire.com</A></SPAN></FONT></DI=
V>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D015323720-04012007></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D015323720-04012007></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D015323720-04012007></SPAN></FONT> </DIV><BR>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> skarvin =
[mailto:skarvin@gmail.com]=20
<BR><B>Sent:</B> Thursday, January 04, 2007 10:07 PM<BR><B>To:</B> Billy =
Hoffman<BR><B>Cc:</B> bugtraq@securityfocus.com;=20
websecurity@webappsec.org<BR><B>Subject:</B> Re: [WEB SECURITY] =
Universal XSS=20
with PDF files: highly dangerous<BR></FONT><BR></DIV>
<DIV></DIV>Hello Billy,<BR><BR>If I write a rule that filters all url =
with=20
<A>this character --> #</A> in it's content I think that the problem =
is=20
solved, but is my opinion.<BR><BR><BR>Best regards.<BR><BR>
<DIV><SPAN class=3Dgmail_quote>2007/1/4, Billy Hoffman <<A=20
href=3D"mailto:Billy.Hoffman@spidynamics.com";>Billy.Hoffman@spidynamics.c=
om</A>>:</SPAN>
<BLOCKQUOTE class=3Dgmail_quote=20
style=3D"PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: =
rgb(204,204,204) 1px solid">
<DIV lang=3DEN-US vlink=3D"blue" link=3D"blue">
<DIV>
<P><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">You cannot =
filter=20
this URLs, because a URL fragment denotes something inside of a =
resource. The=20
server doesn't care what the fragment it. The HTTP request sent when =
you click=20
on a URL with a fragment doesn't contain the fragment at all. This =
means a=20
site cannot even implement a web application firewall or IDS rule to =
not serve=20
a PDF. They can't tell the different between a PDF requested for =
legitimate=20
reasons or a PDF requested as part of an attack.</SPAN></FONT></P>
<P><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: =
Arial"></SPAN></FONT> </P>
<P><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Short of =
removing all=20
PDF's from a website, that site cannot ensure they are acting as an =
accomplice=20
to exploit a user.</SPAN></FONT></P>
<P><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: =
Arial"></SPAN></FONT> </P>
<P><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Fun=20
times,</SPAN></FONT></P>
<DIV>
<P><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Billy=20
Hoffman</SPAN></FONT></P>
<P><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: =
Arial">--</SPAN></FONT></P>
<P><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Lead =
Researcher, SPI=20
Labs</SPAN></FONT></P>
<P><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">SPI=20
Dynamics</SPAN></FONT><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"> Inc. =
– <A=20
onclick=3D"return top.js.OpenExtLink(window,event,this)"=20
href=3D"http://www.spidynamics.com/"=20
target=3D_blank>http://www.spidynamics.com</A></SPAN></FONT></P>
<P><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: =
Arial">Phone: =20
678-781-4800</SPAN></FONT></P>
<P><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: =
Arial">Direct: =20
678-781-4845</SPAN></FONT><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial"> =
</SPAN></FONT></P></DIV>
<DIV>
<DIV style=3D"TEXT-ALIGN: center" align=3Dcenter><FONT face=3D"Times =
New Roman"=20
size=3D3><SPAN style=3D"FONT-SIZE: 12pt">
<HR align=3Dcenter width=3D"100%" SIZE=3D2>
</SPAN></FONT></DIV>
<P><B><FONT face=3DTahoma size=3D2><SPAN=20
style=3D"FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: =
Tahoma">From:</SPAN></FONT></B><FONT=20
face=3DTahoma size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Tahoma"> skarvin=20
[mailto:<A onclick=3D"return top.js.OpenExtLink(window,event,this)"=20
href=3D"mailto:skarvin@gmail.com"; =
target=3D_blank>skarvin@gmail.com</A>]=20
<BR><B><SPAN style=3D"FONT-WEIGHT: bold">Sent:</SPAN></B> Thursday, =
January 04,=20
2007 4:04 AM<BR><B><SPAN style=3D"FONT-WEIGHT: bold">To:</SPAN></B> <A =
onclick=3D"return top.js.OpenExtLink(window,event,this)"=20
href=3D"mailto:bugtraq@securityfocus.com"=20
target=3D_blank>bugtraq@securityfocus.com</A>; <A=20
onclick=3D"return top.js.OpenExtLink(window,event,this)"=20
href=3D"mailto:websecurity@webappsec.org"=20
target=3D_blank>websecurity@webappsec.org</A><SPAN =
class=3Dq><BR><B><SPAN=20
style=3D"FONT-WEIGHT: bold">Subject:</SPAN></B> Re: [WEB SECURITY] =
Universal XSS=20
with PDF files: highly dangerous</SPAN></SPAN></FONT></P></DIV>
<P><FONT face=3D"Times New Roman" size=3D3><SPAN=20
style=3D"FONT-SIZE: 12pt"></SPAN></FONT> </P>
<DIV><SPAN class=3De id=3Dq_10fee15fb1e2b4a0_3>
<P style=3D"MARGIN-BOTTOM: 12pt"><FONT face=3D"Times New Roman" =
size=3D3><SPAN=20
style=3D"FONT-SIZE: 12pt">Hi all,<BR><BR>Another possible solution is =
to use the=20
Apache mod_security to filter that kind of =
urls.<BR><BR>bye</SPAN></FONT></P>
<DIV>
<P><SPAN><FONT face=3D"Times New Roman" size=3D3><SPAN=20
style=3D"FONT-SIZE: 12pt">2007/1/4, pdp (architect) <<A=20
onclick=3D"return top.js.OpenExtLink(window,event,this)"=20
href=3D"mailto:pdp.gnucitizen@googlemail.com"; target=3D_blank>=20
pdp.gnucitizen@googlemail.com</A>>:</SPAN></FONT></SPAN></P>
<P style=3D"MARGIN-BOTTOM: 12pt"><FONT face=3D"Times New Roman" =
size=3D3><SPAN=20
style=3D"FONT-SIZE: 12pt">ahhh, fragment identifiers make sense to =
browsers=20
only. they are not <BR>send to the server<BR><BR>On 1/4/07, der wert =
<<A=20
onclick=3D"return top.js.OpenExtLink(window,event,this)"=20
href=3D"mailto:derwert@hotmail.com"; =
target=3D_blank>derwert@hotmail.com</A>>=20
wrote:<BR>><BR>> The best solution I see would be to keep all =
pdf files=20
in a non-web<BR>> accessible location on the web server, then have =
all the=20
pdf files outputed <BR>> through a script such as a php script. In =
php you=20
can check the what the<BR>> REQUEST_URI is, if it isn't equal to =
what you=20
were expecting which would<BR>> mean extra parameters were taken =
away or=20
added then you could just have the <BR>> php script not output the =
pdf file=20
since that would mean someone had been<BR>> tampering with the=20
URI.<BR>><BR>> D<BR>><BR>>=20
________________________________<BR>> Get free, personalized online =
radio=20
with MSN Radio powered by Pandora. Try <BR>> =
it!<BR><BR><BR>--<BR>pdp=20
(architect) | petko d. petkov<BR><A=20
onclick=3D"return top.js.OpenExtLink(window,event,this)"=20
href=3D"http://www.gnucitizen.org"=20
=
target=3D_blank>http://www.gnucitizen.org</A><BR><BR>--------------------=
--------------------------------------------------------<BR>The=20
Web Security Mailing List: <BR><A=20
onclick=3D"return top.js.OpenExtLink(window,event,this)"=20
href=3D"http://www.webappsec.org/lists/websecurity/"=20
=
target=3D_blank>http://www.webappsec.org/lists/websecurity/</A><BR><BR>Th=
e Web=20
Security Mailing List Archives:<BR><A=20
onclick=3D"return top.js.OpenExtLink(window,event,this)"=20
href=3D"http://www.webappsec.org/lists/websecurity/archive/"=20
target=3D_blank>http://www.webappsec.org/lists/websecurity/archive/ =
</A><BR><A=20
onclick=3D"return top.js.OpenExtLink(window,event,this)"=20
href=3D"http://www.webappsec.org/rss/websecurity.rss"=20
target=3D_blank>http://www.webappsec.org/rss/websecurity.rss</A> [RSS=20
Feed]</SPAN></FONT></P></DIV>
<P><FONT face=3D"Times New Roman" size=3D3><SPAN style=3D"FONT-SIZE: =
12pt"><BR><BR=20
clear=3Dall><BR>-- <BR>Un saludo,<BR><BR>This message was written =
entirely with=20
recycled electrons. <BR><BR>blog: <A=20
onclick=3D"return top.js.OpenExtLink(window,event,this)"=20
href=3D"http://skarvin.blogspot.com"=20
target=3D_blank>http://skarvin.blogspot.com</A><BR>main(){int =
j=3D1234;char=20
=
t[]=3D":@abcdefghijklmnopqrstuvwxyz.\n",*i=3D<BR>"iqgbgxmsuspcpdofeqgbnek=
.";char=20
*strchr(const char *,int);while( =
<BR>*i){j+=3Dstrchr(t,*i++)-t;j%=3Dsizeof=20
t-1;putchar(t[j]);} return 0;}<BR><BR>skarvin=20
</SPAN></FONT></P></SPAN></DIV></DIV></DIV></BLOCKQUOTE></DIV><BR><BR=20
clear=3Dall><BR>-- <BR>Un saludo,<BR><BR>This message was written =
entirely with=20
recycled electrons.<BR><BR>blog: <A=20
href=3D"http://skarvin.blogspot.com";>http://skarvin.blogspot.com</A><BR>m=
ain(){int=20
j=3D1234;char t[]=3D":@abcdefghijklmnopqrstuvwxyz.\n",*i=3D=20
<BR>"iqgbgxmsuspcpdofeqgbnek.";char *strchr(const char=20
*,int);while(<BR>*i){j+=3Dstrchr(t,*i++)-t;j%=3Dsizeof =
t-1;putchar(t[j]);} return=20
0;}<BR><BR>skarvin </BODY></HTML>
------_=_NextPart_001_01C73040.883CFE00--
Brought to you by http://www.webappsec.org
Search this site
|