RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

[RSnake <rsnake@xxxxxxxxxxxx>]

This was originally posted in the Opera forums, but if you cannot
upgrade for some reason this is definitely a way to stop this vector:

Open Adobe Reader and bring up the preferences dialog.
Select the 'Internet' category.
You should see an option along the lines of 'Display PDF in browser',
disable that.
OK out of the dialog, close Adobe Reader, and restart Opera. The plugin
should no longer appear on opera:plugins

Try that and let me know if you have any problems.

On Thu, 4 Jan 2007, White, Dain P wrote:

> There's some very incredible work being done here, some of the
> javascript masters on this list downright scare the bejabbers outta me.
> I can actually hear the sky falling, thanks! :|
>
> Does anyone have any advice on a workaround for IE6 that approximates
> the firefox / opera workaround of defaulting to save the pdf file rather
> than open? If I missed the tip in the deluge of messages, I apologize in
> advance...
>
> ~Dain
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


-R

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]