[WEB SECURITY] PDF to JavaScript to XML to Exploit

Jeremiah Grossman jeremiah at whitehatsec.com
Tue Jun 21 20:28:46 EDT 2005

Normally we don't advertise vulnerability advisories on this list,  
but I found this one particularly interesting. Especially since it  
took advantage of JavaScript and XML Entities as a vector of attack.

Sverre Huseby (thathost.com) found that new Adobe Acrobat Reader  
(v7.0) had supported implementations of JavaScript and XML. An attack  
can be accomplished by having JavaScript execute at PDF document run- 
time to create an XML Object. The XML Object then makes use of an  
embedded XML Entity. The XML entity is then able to read in local  
files (per the XML spec), including /etc/password. I've tested this  
effectively on my OS X machine and the results were frankly spooky.  
As soon as I loaded the specially crafted PDF document, it was all  
over. I guess this means XSS can happen from inside a PDF. Great.

Of the many questions one may ask, my first was, "Why do PDF's need  

News Article:

Adobe Advisory:



The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list