[WEB SECURITY] Universal XSS with PDF files: highly dangerous
Billy Hoffman
Billy.Hoffman at spidynamics.com
Thu Jan 4 12:09:13 EST 2007
You cannot filter this URLs, because a URL fragment denotes something
inside of a resource. The server doesn't care what the fragment it. The
HTTP request sent when you click on a URL with a fragment doesn't
contain the fragment at all. This means a site cannot even implement a
web application firewall or IDS rule to not serve a PDF. They can't tell
the different between a PDF requested for legitimate reasons or a PDF
requested as part of an attack.
Short of removing all PDF's from a website, that site cannot ensure they
are acting as an accomplice to exploit a user.
Fun times,
Billy Hoffman
--
Lead Researcher, SPI Labs
SPI Dynamics Inc. - http://www.spidynamics.com
<http://www.spidynamics.com/>
Phone: 678-781-4800
Direct: 678-781-4845
________________________________
From: skarvin [mailto:skarvin at gmail.com]
Sent: Thursday, January 04, 2007 4:04 AM
To: bugtraq at securityfocus.com; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly
dangerous
Hi all,
Another possible solution is to use the Apache mod_security to filter
that kind of urls.
bye
2007/1/4, pdp (architect) < pdp.gnucitizen at googlemail.com
<mailto:pdp.gnucitizen at googlemail.com> >:
ahhh, fragment identifiers make sense to browsers only. they are not
send to the server
On 1/4/07, der wert <derwert at hotmail.com> wrote:
>
> The best solution I see would be to keep all pdf files in a non-web
> accessible location on the web server, then have all the pdf files
outputed
> through a script such as a php script. In php you can check the what
the
> REQUEST_URI is, if it isn't equal to what you were expecting which
would
> mean extra parameters were taken away or added then you could just
have the
> php script not output the pdf file since that would mean someone had
been
> tampering with the URI.
>
> D
>
> ________________________________
> Get free, personalized online radio with MSN Radio powered by Pandora.
Try
> it!
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
------------------------------------------------------------------------
----
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
--
Un saludo,
This message was written entirely with recycled electrons.
blog: http://skarvin.blogspot.com
main(){int j=1234;char t[]=":@abcdefghijklmnopqrstuvwxyz.\n",*i=
"iqgbgxmsuspcpdofeqgbnek.";char *strchr(const char *,int);while(
*i){j+=strchr(t,*i++)-t;j%=sizeof t-1;putchar(t[j]);} return 0;}
skarvin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20070104/3d925529/attachment.html>
More information about the websecurity
mailing list