Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

["Jean-Jacques Halans" <halans@xxxxxxxxx>]

Checked again, it does work for me  for:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1)
Gecko/20061204 Firefox/2.0.0.1
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8)
Gecko/20061025 Firefox/1.5.0.8
Opera 9.10 build 8679

Although admitting it is Portable Firefox 2 (updated to 2.0.0.1)


On 1/5/07, White, Dain P <dainw@xxxxxxx> wrote:
> Hmmm... This didn't work for me using Firefox 2.0.0.1 (just updated) - -
> Firefox still alerts "XSS".
>
>
> -----Original Message-----
> From: Jean-Jacques Halans [mailto:halans@xxxxxxxxx]
> Sent: Thursday, January 04, 2007 4:42 PM
> To: RSnake
> Cc: White, Dain P; websecurity@xxxxxxxxxxxxx
> Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly
> dangerous
>
> Works for me both in Opera 9 and Firefox 2.
> Maybe Adobe should push out a small fix which disables this option in
> all versions prior to v8?
>
> On 1/5/07, RSnake <rsnake@xxxxxxxxxxxx> wrote:
> >
> > This was originally posted in the Opera forums, but if you cannot
> > upgrade for some reason this is definitely a way to stop this vector:
> >
> > Open Adobe Reader and bring up the preferences dialog.
> > Select the 'Internet' category.
> > You should see an option along the lines of 'Display PDF in browser',
> > disable that.
> > OK out of the dialog, close Adobe Reader, and restart Opera. The
> > plugin should no longer appear on opera:plugins
> >
> > Try that and let me know if you have any problems.
> >

-
Halans Jean-Jacques

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]