Re: [Full-disclosure] Universal PDF XSS After Party(posible solution)

To: "Noe Espinoza M." <nespinoza@xxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Universal PDF XSS After Party(posible solution)
From: "Darren Bounds" <dbounds@xxxxxxxxx>
Date: Thu, 4 Jan 2007 13:45:18 -0500
Cc: "pdp (architect)" <pdp.gnucitizen@xxxxxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, "Web Security" <websecurity@xxxxxxxxxxxxx>
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=H3QkLsJostzXhzpmiusbObYctlee1OWGY1fCRHRKSYa4a7fl00HLM+o8rym9AP4P+leMhUYQ8bJn8D8C+33HAhqYswZpmpFByGnmiUtVKF95E5CbUxjw1EjYHK0eT6UFHh1Uui6CxPqsrQIOetAmMXm6c1odOrehbvfsZVkgZkE=
In-reply-to: <000401c7302d$c85f5160$313340c8@systester>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <6905b1570701040516n24eaa969rabe8eb200aaa2a22@xxxxxxxxxxxxxx> <000401c7302d$c85f5160$313340c8@systester>

If I recall correctly from the Content-Disposition HTML attachment
handling vulnerabilities last year, Opera didn't reliably abide by the
Content-Disposition header.

Additionally, Content-Disposition support in IE, Firefox, Opera,
Safari and a few others was extremely inconsistent from version to
version.


--

Thank you,
Darren Bounds



On 1/4/07, Noe Espinoza M. <nespinoza@xxxxxxxxxxxxxxx> wrote:

We need to force to the users do download  the pdf files

And we can add to the httpd.conf or .htaccess the next code

SetEnvIf Request_URI "\.pdf$" requested_pdf=pdf
Header add Content-Disposition "Attachment" env=requested_pdf


Other solution is protect our pdf files to external links (hotlinking)

Add in .htacces

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?example\.com[NC]
RewriteRule .*\.(pdf)$ http://www.example.com/images/noexternal.gif [R,NC,L]


Source from
http://seguinfo.blogspot.com/2007/01/hacking-con-browser-plugins.html



-----Mensaje original-----
De: pdp (architect) [mailto:pdp.gnucitizen@xxxxxxxxxxxxxx]
Enviado el: jueves, 04 de enero de 2007 7:17
Para: full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx; Web
Security
Asunto: Universal PDF XSS After Party

Everybody knows about it. Everybody talks about it. We had a nice
party. It is time for estimating the damages. In this article I will
try to show the impact of the Universal PDF XSS vulnerability by
explaining how it can be used in real life situations.

http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/

--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Universal PDF XSS After Party
  - From: pdp (architect)
- RE: Universal PDF XSS After Party(posible solution)
  - From: Noe Espinoza M.

Prev by Date: Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
Next by Date: RE: PHP as a secure language? PHP worms? [was: Re: new linux malware]
Previous by thread: RE: Universal PDF XSS After Party(posible solution)
Next by thread: Re: [WEB SECURITY] RE: Universal PDF XSS After Party(posible solution)
Index(es):
- Date
- Thread