Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
RSnake wrote:
> No, that is incorrect. This is not visible by the application because
> achor tags are not sent to the webserver. This is completely invisible
> to web application firewalls. Btw, a user on http://sla.ckers.org/ made
> this recommendation for fixing your own browsers:
>
> Firefox->Tools->Options->Content->Manage->change PDF action to "Save to
> disk".
YMMV, but for Apache-based servers, one of the two methods below -may- do the
trick (no guarantees that it won't break your app in the process):
# mod_rewrite prevention vs. DOM attacks on static content
RewriteCond %{THE_REQUEST} .*\.(img|jpg|pdf|css|js)[^A-Za-z0-9._?&%-]
RewriteRule (.*\.(img|pdf|cgi|jpg)) $1 [R,L]
# mod_security 2.0 prevention vs. DOM attacks on static content
SecRule REQUEST_URI_RAW: ".*\.(img|jpg|pdf|css|js)[^A-Za-z0-9._?&%-]" \
"deny,log,status:501,id:955001,severity:2,msg:'DOM attack on static
content'"
Erick.