I think I get what Skarvin is saying. Hopeful we all know that fragments are
not sent with the request, so you cannot stop yourself from serving a PDF
that's about to execute JS code in a fragment. However, social sites and
forum sites can scan their site to see if any user supplied links point to a
PDF with a malicious looking fragment. At the very least they can make sure
they are not being an accomplice to an attack. Of course, some people server
PDF's through file portals (file.php?file=foo.pdf) or use other things that
makes it hard to see if a hyperlink serves a PDF or not.
Billy Hoffman
--
Lead Researcher, SPI Labs
SPI Dynamics Inc. – http://www.spidynamics.com
Phone: 678-781-4800
Direct: 678-781-4845
________________________________
From: Ory Segal [mailto:osegal@xxxxxxxxxxxxx]
Sent: Thursday, January 04, 2007 3:40 PM
To: skarvin
Cc: bugtraq@xxxxxxxxxxxxxxxxx; websecurity@xxxxxxxxxxxxx
Subject: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Hi Skarvin,
When you click on a link that contains a fragment in it, the browser does
not send that part (everything after the # symbol - including the symbol
itself), to the server. For example:
http://www.some.site/page.html#abc , when clicked, will
send the following request:
GET /page.html HTTP/1.0
Host: www.some.site
...
So any server side filtering of '#' won't work.
-Ory Segal
www.watchfire.com
________________________________
From: skarvin [mailto:skarvin@xxxxxxxxx]
Sent: Thursday, January 04, 2007 10:07 PM
To: Billy Hoffman
Cc: bugtraq@xxxxxxxxxxxxxxxxx; websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Hello Billy,
If I write a rule that filters all url with this character --> # in it's
content I think that the problem is solved, but is my opinion.
Best regards.
2007/1/4, Billy Hoffman <Billy.Hoffman@xxxxxxxxxxxxxxx>:
You cannot filter this URLs, because a URL fragment denotes something inside
of a resource. The server doesn't care what the fragment it. The HTTP
request sent when you click on a URL with a fragment doesn't contain the
fragment at all. This means a site cannot even implement a web application
firewall or IDS rule to not serve a PDF. They can't tell the different
between a PDF requested for legitimate reasons or a PDF requested as part of
an attack.
Short of removing all PDF's from a website, that site cannot ensure they are
acting as an accomplice to exploit a user.
Fun times,
Billy Hoffman
--
Lead Researcher, SPI Labs
SPI Dynamics Inc. – http://www.spidynamics.com
Phone: 678-781-4800
Direct: 678-781-4845
________________________________
From: skarvin [mailto:skarvin@xxxxxxxxx]
Sent: Thursday, January 04, 2007 4:04 AM
To: bugtraq@xxxxxxxxxxxxxxxxx; websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Hi all,
Another possible solution is to use the Apache mod_security to filter that
kind of urls.
bye
2007/1/4, pdp (architect) < pdp.gnucitizen@xxxxxxxxxxxxxx>:
ahhh, fragment identifiers make sense to browsers only. they are not
send to the server
On 1/4/07, der wert <derwert@xxxxxxxxxxx> wrote:
>
> The best solution I see would be to keep all pdf files in a non-web
> accessible location on the web server, then have all the pdf files
outputed
> through a script such as a php script. In php you can check the what the
> REQUEST_URI is, if it isn't equal to what you were expecting which would
> mean extra parameters were taken away or added then you could just have
the
> php script not output the pdf file since that would mean someone had been
> tampering with the URI.
>
> D
>
> ________________________________
> Get free, personalized online radio with MSN Radio powered by Pandora.
Try
> it!
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
--
Un saludo,
This message was written entirely with recycled electrons.
blog: http://skarvin.blogspot.com
main(){int j=1234;char
t[]=":@abcdefghijklmnopqrstuvwxyz.\n",*i=
"iqgbgxmsuspcpdofeqgbnek.";char *strchr(const char *,int);while(
*i){j+=strchr(t,*i++)-t;j%=sizeof t-1;putchar(t[j]);}
return 0;}
skarvin
--
Un saludo,
This message was written entirely with recycled electrons.
blog: http://skarvin.blogspot.com
main(){int j=1234;char
t[]=":@abcdefghijklmnopqrstuvwxyz.\n",*i=
"iqgbgxmsuspcpdofeqgbnek.";char *strchr(const char *,int);while(
*i){j+=strchr(t,*i++)-t;j%=sizeof t-1;putchar(t[j]);}
return 0;}
skarvin