[WEB SECURITY] Universal XSS with PDF files: highly dangerous
Brian Eaton
eaton.lists at gmail.com
Mon Jan 8 14:06:34 EST 2007
Someone (I believe RSnake) pointed out that many browser machines have
PDF files in predictable locations that can be accessed via file://
links. That lets an attacker gain local javascript execution. At one
point Firefox had a rule restricting http:// and https:// web pages
from accessing file:// links. Does that rule still exist, and if so
does it mitigate the risk posed to firefox users?
Regards,
Brian
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list