RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

["Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>]

This also works for the affected versions of Opera mentioned elsewhere
on the list (9.10, 8.54)...

-----Original Message-----
From: Martin O'Neal [mailto:martin.oneal@xxxxxxxxxxxx] 
Sent: 04 January 2007 17:59
To: bugtraq@xxxxxxxxxxxxxxxxx; websecurity@xxxxxxxxxxxxx
Subject: RE: [WEB SECURITY] Universal XSS with PDF files: highly
dangerous


I've had a better look at this now, and there seems to be a generic
server side solution through the content-disposition header (at least
for the versions of Firefox and IE which I have tested).  If it is
specified, the default installs of both products always produce a
download dialog and don't open inline.

Sample apache config for mitigation:

<IfModule mod_headers.c>
  <FilesMatch "\.pdf$">
	Header append Content-disposition "attachment;"
  </FilesMatch>
</IfModule>

Martin...

------------------------------------------------------------------------
----
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]