Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

["pdp (architect)" <pdp.gnucitizen@xxxxxxxxxxxxxx>]

also, you can use TinyURL to hide entire attack vectors. For example,
the following link contains a harmless exploit (alert message box) for
Google:
http://tinyurl.com/t8h4q

more about this issue here:
http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/

On 1/4/07, Billy Hoffman <Billy.Hoffman@xxxxxxxxxxxxxxx> wrote:
> I think I get what Skarvin is saying. Hopeful we all know that fragments are
> not sent with the request, so you cannot stop yourself from serving a PDF
> that's about to execute JS code in a fragment. However, social sites and
> forum sites can scan their site to see if any user supplied links point to a
> PDF with a malicious looking fragment. At the very least they can make sure
> they are not being an accomplice to an attack. Of course, some people server
> PDF's through file portals (file.php?file=foo.pdf) or use other things that
> makes it hard to see if a hyperlink serves a PDF or not.
>
>
>
>
> Billy Hoffman
>
> --
>
> Lead Researcher, SPI Labs
>
> SPI Dynamics Inc. – http://www.spidynamics.com
>
> Phone:  678-781-4800
>
> Direct:   678-781-4845
>
>  ________________________________
>
>
> From: Ory Segal [mailto:osegal@xxxxxxxxxxxxx]
>  Sent: Thursday, January 04, 2007 3:40 PM
>  To: skarvin
>  Cc: bugtraq@xxxxxxxxxxxxxxxxx; websecurity@xxxxxxxxxxxxx
>  Subject: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
>
>
>
>
>
> Hi Skarvin,
>
>
>
>
>
> When you click on a link that contains a fragment in it, the browser does
> not send that part (everything after the # symbol - including the symbol
> itself), to the server. For example:
>
>
>
>
>
> http://www.some.site/page.html#abc , when clicked, will
> send the following request:
>
>
>
>
>
> GET /page.html HTTP/1.0
>
>
> Host: www.some.site
>
>
> ...
>
>
>
>
>
> So any server side filtering of '#' won't work.
>
>
>
>
>
> -Ory Segal
>
>
> www.watchfire.com
>
>
>
>
>
>
>
>
>
>
>
>  ________________________________
>
>
> From: skarvin [mailto:skarvin@xxxxxxxxx]
>  Sent: Thursday, January 04, 2007 10:07 PM
>  To: Billy Hoffman
>  Cc: bugtraq@xxxxxxxxxxxxxxxxx; websecurity@xxxxxxxxxxxxx
>  Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
>
> Hello Billy,
>
>  If I write a rule that filters all url with this character --> # in it's
> content I think that the problem is solved, but is my opinion.
>
>
>  Best regards.
>
>
> 2007/1/4, Billy Hoffman <Billy.Hoffman@xxxxxxxxxxxxxxx>:
>
>
>
> You cannot filter this URLs, because a URL fragment denotes something inside
> of a resource. The server doesn't care what the fragment it. The HTTP
> request sent when you click on a URL with a fragment doesn't contain the
> fragment at all. This means a site cannot even implement a web application
> firewall or IDS rule to not serve a PDF. They can't tell the different
> between a PDF requested for legitimate reasons or a PDF requested as part of
> an attack.
>
>
>
> Short of removing all PDF's from a website, that site cannot ensure they are
> acting as an accomplice to exploit a user.
>
>
>
> Fun times,
>
>
> Billy Hoffman
>
> --
>
> Lead Researcher, SPI Labs
>
> SPI Dynamics Inc. – http://www.spidynamics.com
>
> Phone:  678-781-4800
>
> Direct:   678-781-4845
>
>  ________________________________
>
>
> From: skarvin [mailto:skarvin@xxxxxxxxx]
>  Sent: Thursday, January 04, 2007 4:04 AM
>  To: bugtraq@xxxxxxxxxxxxxxxxx; websecurity@xxxxxxxxxxxxx
>  Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
>
>
>
>
> Hi all,
>
>  Another possible solution is to use the Apache mod_security to filter that
> kind of urls.
>
>  bye
>
>
> 2007/1/4, pdp (architect) < pdp.gnucitizen@xxxxxxxxxxxxxx>:
>
> ahhh, fragment identifiers make sense to browsers only. they are not
>  send to the server
>
>  On 1/4/07, der wert <derwert@xxxxxxxxxxx> wrote:
>  >
>  > The best solution I see would be to keep all pdf files in a non-web
>  > accessible location on the web server, then have all the pdf files
> outputed
>  > through a script such as a php script. In php you can check the what the
>  > REQUEST_URI is, if it isn't equal to what you were expecting which would
>  > mean extra parameters were taken away or added then you could just have
> the
>  > php script not output the pdf file since that would mean someone had been
>  > tampering with the URI.
>  >
>  > D
>  >
>  > ________________________________
>  > Get free, personalized online radio with MSN Radio powered by Pandora.
> Try
>  > it!
>
>
>  --
>  pdp (architect) | petko d. petkov
>  http://www.gnucitizen.org
>
> ----------------------------------------------------------------------------
>  The Web Security Mailing List:
>  http://www.webappsec.org/lists/websecurity/
>
>  The Web Security Mailing List Archives:
>  http://www.webappsec.org/lists/websecurity/archive/
>  http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>
>
>  --
>  Un saludo,
>
>  This message was written entirely with recycled electrons.
>
>  blog: http://skarvin.blogspot.com
>  main(){int j=1234;char
> t[]=":@abcdefghijklmnopqrstuvwxyz.\n",*i=
>  "iqgbgxmsuspcpdofeqgbnek.";char *strchr(const char *,int);while(
>  *i){j+=strchr(t,*i++)-t;j%=sizeof t-1;putchar(t[j]);}
> return 0;}
>
>  skarvin
>
>
>
>
>  --
>  Un saludo,
>
>  This message was written entirely with recycled electrons.
>
>  blog: http://skarvin.blogspot.com
>  main(){int j=1234;char
> t[]=":@abcdefghijklmnopqrstuvwxyz.\n",*i=
>  "iqgbgxmsuspcpdofeqgbnek.";char *strchr(const char *,int);while(
>  *i){j+=strchr(t,*i++)-t;j%=sizeof t-1;putchar(t[j]);}
> return 0;}
>
>  skarvin


--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org