[prev in list] [next in list] [prev in thread] [next in thread]
List: owasp-common
Subject: Serious XSS attack on any app serving PDF's
From: "Jeff Williams" <jeff.williams () owasp ! org>
Date: 2007-01-04 17:14:23
Message-ID: 03dd01c73023$c78a80c0$4624fea9 () aspectsecurity ! local
[Download RAW message or body]
Hi,
I wanted to give everyone all a heads-up on a very serious new application
security vulnerability that probably affects you. Basically, any
application that serves PDF files is likely to be vulnerable to XSS attacks.
Attackers simply have to add an anchor containing a script, e.g. add
#blah=javascript:alert(document.cookie); to ANY URL that ends in .pdf (or
streams a PDF). The browser hands off the anchor to the Adobe reader plugin,
and the script then runs in the victim's browser.
You can find more information here:
http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/
You can protect yourself by upgrading your browser and Adobe Reader. There
are many vulnerable browser/plugin combinations in use, including Firefox.
However, IE7 and IE6 SP2 do not appear vulnerable.
Protecting the users of your application from attack is more difficult.
This problem is entirely in the browser and the Adobe reader. The anchor is
not even passed from the browser to the web application, so there's really
not much you can do in your code to detect an attack. You could stop serving
PDF documents or move them to a different server, but that's not realistic
for many organizations.
--Jeff
Jeff Williams, Chair
The OWASP Foundation <http://www.owasp.org/>
"Dedicated to finding and fighting the causes of insecure software"
[Attachment #3 (text/html)]
<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle19
{mso-style-type:personal;
font-family:Arial;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:Arial;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.EmailStyle21
{mso-style-type:personal;
font-family:Arial;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.EmailStyle22
{mso-style-type:personal;
font-family:Arial;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:Arial;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Hi,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I wanted to give everyone all a heads-up on a very serious
new application security vulnerability that probably affects you.
Basically, any application that serves PDF files is likely to be vulnerable to
XSS attacks.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Attackers simply have to add an anchor containing a script,
e.g. add #blah=javascript:alert(document.cookie); to ANY URL that ends in .pdf
(or streams a PDF). The browser hands off the anchor to the Adobe reader
plugin, and the script then runs in the victim’s \
browser.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>You can find more information here: <a
href="http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/">http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/</a><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>You can protect yourself by upgrading your browser and Adobe
Reader. There are many vulnerable browser/plugin combinations in use, including
Firefox. However, IE7 and IE6 SP2 do not appear \
vulnerable.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Protecting the users of your application from attack is more
difficult. This problem is entirely in the browser and the Adobe reader.
The anchor is not even passed from the browser to the web application, so
there’s really not much you can do in your code to detect an attack. You
could stop serving PDF documents or move them to a different server, but
that’s not realistic for many organizations.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoAutoSig><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>--Jeff</span></font><o:p></o:p></p>
<p class=MsoAutoSig><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
<p class=MsoAutoSig><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Jeff Williams, Chair<o:p></o:p></span></font></p>
<p class=MsoAutoSig><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><a href="http://www.owasp.org/">The OWASP \
Foundation</a><o:p></o:p></span></font></p>
<p class=MsoAutoSig><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>"Dedicated to finding and fighting the causes of
insecure software"</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic