Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

To: pdp.gnucitizen@xxxxxxxxxxxxxx (\"pdp architect\")
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
From: bugtraq@xxxxxxxxxxxxxxx
Date: Wed, 3 Jan 2007 19:00:08 -0500 (EST)
Cc: bugtraq@xxxxxxxxxxxxxxxxx, websecurity@xxxxxxxxxxxxx (Web Security)
In-reply-to: <6905b1570701031433p1dc866dfya408d2eff79f6c55@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

A slashdot user suggested the following


"One possible work around on the server side:
Direct your web server to serve .pdf files as mime type "application/octet"
That way the files will be saved to disk instead of opening in the browser plug 
in."


URL:
http://it.slashdot.org/comments.pl?sid=214868&threshold=1&commentsort=0&mode=thread&cid=17450834

This may cause undesired effects on certain browsers on the otherhand. 


- Robert
http://www.cgisecurity.com/ Website Security news, and more
http://www.cgisecurity.com/index.rss [RSS Security Feed]

Follow-Ups:
- RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Martin O'Neal

References:
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: pdp (architect)

Prev by Date: Re: SMS handling OpenSER remote code executing
Next by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Previous by thread: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by thread: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Index(es):
- Date
- Thread