[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

From: "Billy Hoffman" <Billy.Hoffman@xxxxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Date: Thu, 4 Jan 2007 16:31:20 -0500
------_=_NextPart_001_01C73047.ACF9362C
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I think I get what Skarvin is saying. Hopeful we all know that fragments
are not sent with the request, so you cannot stop yourself from serving
a PDF that's about to execute JS code in a fragment. However, social
sites and forum sites can scan their site to see if any user supplied
links point to a PDF with a malicious looking fragment. At the very
least they can make sure they are not being an accomplice to an attack.
Of course, some people server PDF's through file portals
(file.php?file=3Dfoo.pdf) or use other things that makes it hard to see =
if
a hyperlink serves a PDF or not.

=20

Billy Hoffman

--

Lead Researcher, SPI Labs

SPI Dynamics Inc. - http://www.spidynamics.com
<http://www.spidynamics.com/>=20

Phone:  678-781-4800

Direct:   678-781-4845

________________________________

From: Ory Segal [mailto:osegal@watchfire.com]=20
Sent: Thursday, January 04, 2007 3:40 PM
To: skarvin
Cc: bugtraq@securityfocus.com; websecurity@webappsec.org
Subject: RE: [WEB SECURITY] Universal XSS with PDF files: highly
dangerous

=20

Hi Skarvin,

=20

When you click on a link that contains a fragment in it, the browser
does not send that part (everything after the # symbol - including the
symbol itself), to the server. For example:

=20

http://www.some.site/page.html#abc , when clicked, will send the
following request:

=20

GET /page.html HTTP/1.0

Host: www.some.site

...

=20

So any server side filtering of '#' won't work.

=20

-Ory Segal

www.watchfire.com

=20

=20

=20

=20

________________________________

From: skarvin [mailto:skarvin@gmail.com]=20
Sent: Thursday, January 04, 2007 10:07 PM
To: Billy Hoffman
Cc: bugtraq@securityfocus.com; websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly
dangerous

Hello Billy,

If I write a rule that filters all url with this character --> # in it's
content I think that the problem is solved, but is my opinion.


Best regards.

2007/1/4, Billy Hoffman <Billy.Hoffman@spidynamics.com>:=20

You cannot filter this URLs, because a URL fragment denotes something
inside of a resource. The server doesn't care what the fragment it. The
HTTP request sent when you click on a URL with a fragment doesn't
contain the fragment at all. This means a site cannot even implement a
web application firewall or IDS rule to not serve a PDF. They can't tell
the different between a PDF requested for legitimate reasons or a PDF
requested as part of an attack.

=20

Short of removing all PDF's from a website, that site cannot ensure they
are acting as an accomplice to exploit a user.

=20

Fun times,

Billy Hoffman

--

Lead Researcher, SPI Labs

SPI Dynamics Inc. - http://www.spidynamics.com
<http://www.spidynamics.com/>=20

Phone:  678-781-4800

Direct:   678-781-4845=20

________________________________

From: skarvin [mailto:skarvin@gmail.com]=20
Sent: Thursday, January 04, 2007 4:04 AM
To: bugtraq@securityfocus.com; websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly
dangerous

=20

Hi all,

Another possible solution is to use the Apache mod_security to filter
that kind of urls.

bye

2007/1/4, pdp (architect) < pdp.gnucitizen@googlemail.com
<mailto:pdp.gnucitizen@googlemail.com> >:

ahhh, fragment identifiers make sense to browsers only. they are not=20
send to the server

On 1/4/07, der wert <derwert@hotmail.com> wrote:
>
> The best solution I see would be to keep all pdf files in a non-web
> accessible location on the web server, then have all the pdf files
outputed=20
> through a script such as a php script. In php you can check the what
the
> REQUEST_URI is, if it isn't equal to what you were expecting which
would
> mean extra parameters were taken away or added then you could just
have the=20
> php script not output the pdf file since that would mean someone had
been
> tampering with the URI.
>
> D
>
> ________________________________
> Get free, personalized online radio with MSN Radio powered by Pandora.
Try=20
> it!


--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

------------------------------------------------------------------------
----
The Web Security Mailing List:=20
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/=20
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]




--=20
Un saludo,

This message was written entirely with recycled electrons.=20

blog: http://skarvin.blogspot.com
main(){int j=3D1234;char t[]=3D":@abcdefghijklmnopqrstuvwxyz.\n",*i=3D
"iqgbgxmsuspcpdofeqgbnek.";char *strchr(const char *,int);while(=20
*i){j+=3Dstrchr(t,*i++)-t;j%=3Dsizeof t-1;putchar(t[j]);} return 0;}

skarvin=20




--=20
Un saludo,

This message was written entirely with recycled electrons.

blog: http://skarvin.blogspot.com
main(){int j=3D1234;char t[]=3D":@abcdefghijklmnopqrstuvwxyz.\n",*i=3D=20
"iqgbgxmsuspcpdofeqgbnek.";char *strchr(const char *,int);while(
*i){j+=3Dstrchr(t,*i++)-t;j%=3Dsizeof t-1;putchar(t[j]);} return 0;}

skarvin=20


------_=_NextPart_001_01C73047.ACF9362C
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
 namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" =
name=3D"PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:blue;
	text-decoration:underline;}
p
	{mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman";}
span.EmailStyle21
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dblue>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>I think I get what Skarvin is =
saying. Hopeful
we all know that fragments are not sent with the request, so you cannot =
stop
yourself from serving a PDF that&#8217;s about to execute JS code in a
fragment. However, social sites and forum sites can scan their site to =
see if any
user supplied links point to a PDF with a malicious looking fragment. At =
the
very least they can make sure they are not being an accomplice to an =
attack. Of
course, some people server PDF&#8217;s through file portals =
(file.php?file=3Dfoo.pdf)
or use other things that makes it hard to see if a hyperlink serves a =
PDF or
not.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Billy =
Hoffman<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>--<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Lead Researcher, <st1:PersonName =
w:st=3D"on">SPI
 Labs</st1:PersonName><o:p></o:p></span></font></p>

<p class=3DMsoNormal><st1:PersonName w:st=3D"on"><font size=3D2 =
color=3Dnavy
 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:navy'>SPI
 Dynamics</span></font></st1:PersonName><font size=3D2 color=3Dnavy =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'> Inc. &#8211; <a
href=3D"http://www.spidynamics.com/";>http://www.spidynamics.com</a><o:p><=
/o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Phone:&nbsp; =
678-781-4800<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Direct:&nbsp;&nbsp; =
678-781-4845</span></font><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'><o:p></o:p></span></font></p=
>

</div>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> Ory =
Segal
[mailto:osegal@watchfire.com] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Thursday, January =
04, 2007
3:40 PM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> skarvin<br>
<b><span style=3D'font-weight:bold'>Cc:</span></b> =
bugtraq@securityfocus.com;
websecurity@webappsec.org<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> RE: [WEB =
SECURITY]
Universal XSS with PDF files: highly =
dangerous</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>Hi =
Skarvin,</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>When you click on a link that =
contains a
fragment in it, the browser does not send that part (everything after =
the #
symbol - including the symbol itself), to the server. For =
example:</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'><a
href=3D"http://www.some.site/page.html#abc";>http://www.some.site/page.htm=
l#abc</a>&nbsp;,
when clicked, will send the following =
request:</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>GET /page.html =
HTTP/1.0</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>Host: <a =
href=3D"http://www.some.site";>www.some.site</a></span></font><o:p></o:p><=
/p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>...</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>So any server side filtering of '#' =
won't
work.</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>-Ory =
Segal</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'><a =
href=3D"http://www.watchfire.com";>www.watchfire.com</a></span></font><o:p=
></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabIndex=3D-1>

</span></font></div>

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><b><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma;font-weight:bold'>From:</spa=
n></font></b><font
size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:Tahoma'> skarvin
[mailto:skarvin@gmail.com] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Thursday, January =
04, 2007
10:07 PM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> Billy Hoffman<br>
<b><span style=3D'font-weight:bold'>Cc:</span></b> =
bugtraq@securityfocus.com; websecurity@webappsec.org<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> Re: [WEB =
SECURITY]
Universal XSS with PDF files: highly =
dangerous</span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><font size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>Hello =
Billy,<br>
<br>
If I write a rule that filters all url with this character --&gt; # in =
it's
content I think that the problem is solved, but is my opinion.<br>
<br>
<br>
Best regards.<o:p></o:p></span></font></p>

<div>

<p class=3DMsoNormal><span class=3Dgmailquote><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'>2007/1/4, Billy Hoffman &lt;<a
href=3D"mailto:Billy.Hoffman@spidynamics.com";>Billy.Hoffman@spidynamics.c=
om</a>&gt;:</span></font></span>
<o:p></o:p></p>

<div vlink=3Dblue link=3Dblue>

<div>

<p><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'>You cannot filter this URLs, because a URL fragment =
denotes
something inside of a resource. The server doesn't care what the =
fragment it.
The HTTP request sent when you click on a URL with a fragment doesn't =
contain
the fragment at all. This means a site cannot even implement a web =
application
firewall or IDS rule to not serve a PDF. They can't tell the different =
between
a PDF requested for legitimate reasons or a PDF requested as part of an =
attack.</span></font><o:p></o:p></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>

<p><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'>Short of removing all PDF's from a website, that site =
cannot
ensure they are acting as an accomplice to exploit a =
user.</span></font><o:p></o:p></p>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>

<p><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'>Fun times,</span></font><o:p></o:p></p>

<div>

<p><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'>Billy Hoffman</span></font><o:p></o:p></p>

<p><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'>--</span></font><o:p></o:p></p>

<p><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'>Lead Researcher, <st1:PersonName w:st=3D"on">SPI =
Labs</st1:PersonName></span></font><o:p></o:p></p>

<p><st1:PersonName w:st=3D"on"><font size=3D2 color=3Dnavy =
face=3DArial><span
 style=3D'font-size:10.0pt;font-family:Arial;color:navy'>SPI =
Dynamics</span></font></st1:PersonName><font
size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
color:navy'> Inc. &#8211; <a href=3D"http://www.spidynamics.com/"; =
target=3D"_blank">http://www.spidynamics.com</a></span></font><o:p></o:p>=
</p>

<p><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'>Phone:&nbsp; 678-781-4800</span></font><o:p></o:p></p>

<p><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial;color:navy'>Direct:&nbsp;&nbsp; 678-781-4845</span></font><font =
size=3D2
face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'> =
</span></font><o:p></o:p></p>

</div>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter>

</span></font></div>

<p><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:Tahoma;
font-weight:bold'>From:</span></font></b><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma'> skarvin [mailto:<a
href=3D"mailto:skarvin@gmail.com"; =
target=3D"_blank">skarvin@gmail.com</a>] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Thursday, January =
04, 2007
4:04 AM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> <a
href=3D"mailto:bugtraq@securityfocus.com"; =
target=3D"_blank">bugtraq@securityfocus.com</a>;
<a href=3D"mailto:websecurity@webappsec.org"; =
target=3D"_blank">websecurity@webappsec.org</a><br>
<span class=3Dq><b><span style=3D'font-weight:bold'>Subject:</span></b> =
Re: [WEB
SECURITY] Universal XSS with PDF files: highly =
dangerous</span></span></font><o:p></o:p></p>

</div>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>

<div><span id=3D"q_10fee15fb1e2b4a0_3">

<p style=3D'margin-bottom:12.0pt'><font size=3D3 face=3D"Times New =
Roman"><span
style=3D'font-size:12.0pt'>Hi all,<br>
<br>
Another possible solution is to use the Apache mod_security to filter =
that kind
of urls.<br>
<br>
bye<o:p></o:p></span></font></p>

<div>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>2007/1/4,
pdp (architect) &lt;<a href=3D"mailto:pdp.gnucitizen@googlemail.com";
target=3D"_blank"> =
pdp.gnucitizen@googlemail.com</a>&gt;:<o:p></o:p></span></font></p>

<p style=3D'margin-bottom:12.0pt'><font size=3D3 face=3D"Times New =
Roman"><span
style=3D'font-size:12.0pt'>ahhh, fragment identifiers make sense to =
browsers
only. they are not <br>
send to the server<br>
<br>
On 1/4/07, der wert &lt;<a href=3D"mailto:derwert@hotmail.com"; =
target=3D"_blank">derwert@hotmail.com</a>&gt;
wrote:<br>
&gt;<br>
&gt; The best solution I see would be to keep all pdf files in a =
non-web<br>
&gt; accessible location on the web server, then have all the pdf files
outputed <br>
&gt; through a script such as a php script. In php you can check the =
what the<br>
&gt; REQUEST_URI is, if it isn't equal to what you were expecting which =
would<br>
&gt; mean extra parameters were taken away or added then you could just =
have
the <br>
&gt; php script not output the pdf file since that would mean someone =
had been<br>
&gt; tampering with the URI.<br>
&gt;<br>
&gt; D<br>
&gt;<br>
&gt; ________________________________<br>
&gt; Get free, personalized online radio with MSN Radio powered by =
Pandora. Try
<br>
&gt; it!<br>
<br>
<br>
--<br>
pdp (architect) | petko d. petkov<br>
<a href=3D"http://www.gnucitizen.org"; =
target=3D"_blank">http://www.gnucitizen.org</a><br>
<br>
-------------------------------------------------------------------------=
---<br>
The Web Security Mailing List: <br>
<a href=3D"http://www.webappsec.org/lists/websecurity/"; =
target=3D"_blank">http://www.webappsec.org/lists/websecurity/</a><br>
<br>
The Web Security Mailing List Archives:<br>
<a href=3D"http://www.webappsec.org/lists/websecurity/archive/"; =
target=3D"_blank">http://www.webappsec.org/lists/websecurity/archive/
</a><br>
<a href=3D"http://www.webappsec.org/rss/websecurity.rss"; =
target=3D"_blank">http://www.webappsec.org/rss/websecurity.rss</a>
[RSS Feed]<o:p></o:p></span></font></p>

</div>

<p><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><br>
<br clear=3Dall>
<br>
-- <br>
Un saludo,<br>
<br>
This message was written entirely with recycled electrons. <br>
<br>
blog: <a href=3D"http://skarvin.blogspot.com"; =
target=3D"_blank">http://skarvin.blogspot.com</a><br>
main(){int j=3D1234;char =
t[]=3D&quot;:@abcdefghijklmnopqrstuvwxyz.\n&quot;,*i=3D<br>
&quot;iqgbgxmsuspcpdofeqgbnek.&quot;;char *strchr(const char =
*,int);while( <br>
*i){j+=3Dstrchr(t,*i++)-t;j%=3Dsizeof t-1;putchar(t[j]);} return 0;}<br>
<br>
skarvin <o:p></o:p></span></font></p>

</div>

</div>

</div>

</div>

</span>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><br>
<br clear=3Dall>
<br>
-- <br>
Un saludo,<br>
<br>
This message was written entirely with recycled electrons.<br>
<br>
blog: <a =
href=3D"http://skarvin.blogspot.com";>http://skarvin.blogspot.com</a><br>
main(){int j=3D1234;char =
t[]=3D&quot;:@abcdefghijklmnopqrstuvwxyz.\n&quot;,*i=3D <br>
&quot;iqgbgxmsuspcpdofeqgbnek.&quot;;char *strchr(const char =
*,int);while(<br>
*i){j+=3Dstrchr(t,*i++)-t;j%=3Dsizeof t-1;putchar(t[j]);} return 0;}<br>
<br>
skarvin <o:p></o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C73047.ACF9362C--
Follow-Ups:
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: pdp (architect)
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Amit Klein
References:
- RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Ory Segal
Prev by Date: [WEB SECURITY] Re: [Full-disclosure] Universal XSS with PDF files: highly dangerous
Next by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Previous by thread: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by thread: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site