[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

From: "White, Dain P" <dainw@xxxxxxx>
Subject: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Date: Thu, 4 Jan 2007 15:03:18 -0800

Hmmm...

Unfortunately, I have IE7 here, and while I have a standalone IE6, it
lacks the "fundamental interconnectedness" to test if this will work -
if anyone has original IE6, does following this procedure mitigate the
POC?

Open Windows Explorer 
	Tools --> Options --> FileTypes 
	Select PDF, Click Advanced 
	check "Confirm after Download"

Thanks in advance!
~Dain

-----Original Message-----
From: Mark Andrews [mailto:mark_andrews@xxxxxxxxxxxx] 
Sent: Thursday, January 04, 2007 3:00 PM
To: White, Dain P; websecurity@xxxxxxxxxxxxx
Subject: RE: [WEB SECURITY] Universal XSS with PDF files: highly
dangerous

I think you can only disable it.
Internet Options > Manage add-ons > disable Adobe PDF Reader link helper

-ma 

-----Original Message-----
From: White, Dain P [mailto:dainw@xxxxxxx]
Sent: Thursday, January 04, 2007 2:08 PM
To: websecurity@xxxxxxxxxxxxx
Subject: RE: [WEB SECURITY] Universal XSS with PDF files: highly
dangerous

There's some very incredible work being done here, some of the
javascript masters on this list downright scare the bejabbers outta me.
I can actually hear the sky falling, thanks! :|

Does anyone have any advice on a workaround for IE6 that approximates
the firefox / opera workaround of defaulting to save the pdf file rather
than open? If I missed the tip in the deluge of messages, I apologize in
advance...

~Dain

------------------------------------------------------------------------
----
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Prev by Date: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Previous by thread: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by thread: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site