kitchin
01-09-2007, 09:17 PM
Announced about a week ago and I haven't seen it discussed here yet, so I figured I poke my head up. It was rated the worst security bug of the year somewhere. I don't remember if it was 2006 or 2007 they meant!
Seems to come down to this. A malicious phisher type can use any PDF in your site to create an exploiting link
href="yoursite.tld/yourfile.pdf#blahblah=javascript:blobblobblob"
and then use it cross-site (XSS), in a frame or email or whatever.
The damage would be to reveal a user's sensitive info that should belong only to your site's domain, such as a login cookie or session key. That assumes your web site has user credentials that are valuable to some bad guy.
Affects only Acrobat for Windows, since that is the only PDF reader that decided to make itself into a Javascript interpreter. Acrobat has fixed it, but that doesn't mean there aren't millions of copies of bad Acrobats stuck on people's computers.
There are only a few ways I've heard for websites to prevent attacks:
1. delete all PDF's, or
2. redirect all PDF links to different domain, or
3. send PDF's as "application/octet-stream" so that Acrobat will launch outside the browser, in which case the user is probably prompted first.
Trying to strip off the #blahblah part of the request by using .htaccess apparently does not work because that part of the URL is a client thing, not a server thing.
http://it.slashdot.org/article.pl?sid=07/01/03/2050206
Seems to come down to this. A malicious phisher type can use any PDF in your site to create an exploiting link
href="yoursite.tld/yourfile.pdf#blahblah=javascript:blobblobblob"
and then use it cross-site (XSS), in a frame or email or whatever.
The damage would be to reveal a user's sensitive info that should belong only to your site's domain, such as a login cookie or session key. That assumes your web site has user credentials that are valuable to some bad guy.
Affects only Acrobat for Windows, since that is the only PDF reader that decided to make itself into a Javascript interpreter. Acrobat has fixed it, but that doesn't mean there aren't millions of copies of bad Acrobats stuck on people's computers.
There are only a few ways I've heard for websites to prevent attacks:
1. delete all PDF's, or
2. redirect all PDF links to different domain, or
3. send PDF's as "application/octet-stream" so that Acrobat will launch outside the browser, in which case the user is probably prompted first.
Trying to strip off the #blahblah part of the request by using .htaccess apparently does not work because that part of the URL is a client thing, not a server thing.
http://it.slashdot.org/article.pl?sid=07/01/03/2050206