[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
- From: "White, Dain P" <dainw@xxxxxxx>
- Subject: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
- Date: Thu, 4 Jan 2007 16:51:51 -0800
Hmmm... This didn't work for me using Firefox 2.0.0.1 (just updated) - -
Firefox still alerts "XSS".
-----Original Message-----
From: Jean-Jacques Halans [mailto:halans@xxxxxxxxx]
Sent: Thursday, January 04, 2007 4:42 PM
To: RSnake
Cc: White, Dain P; websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly
dangerous
Works for me both in Opera 9 and Firefox 2.
Maybe Adobe should push out a small fix which disables this option in
all versions prior to v8?
On 1/5/07, RSnake <rsnake@xxxxxxxxxxxx> wrote:
>
> This was originally posted in the Opera forums, but if you cannot
> upgrade for some reason this is definitely a way to stop this vector:
>
> Open Adobe Reader and bring up the preferences dialog.
> Select the 'Internet' category.
> You should see an option along the lines of 'Display PDF in browser',
> disable that.
> OK out of the dialog, close Adobe Reader, and restart Opera. The
> plugin should no longer appear on opera:plugins
>
> Try that and let me know if you have any problems.
>
> On Thu, 4 Jan 2007, White, Dain P wrote:
>
> > There's some very incredible work being done here, some of the
> > javascript masters on this list downright scare the bejabbers outta
me.
> > I can actually hear the sky falling, thanks! :|
> >
> > Does anyone have any advice on a workaround for IE6 that
> > approximates the firefox / opera workaround of defaulting to save
> > the pdf file rather than open? If I missed the tip in the deluge of
> > messages, I apologize in advance...
> >
> > ~Dain
> >
> > --------------------------------------------------------------------
> > --------
> > The Web Security Mailing List:
> > http://www.webappsec.org/lists/websecurity/
> >
> > The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> >
>
>
> -R
>
> ----------------------------------------------------------------------
> ------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
--
Halans Jean-Jacques
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Brought to you by http://www.webappsec.org
Search this site
|