Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

To: RSnake <rsnake@xxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
From: Amit Klein <aksecurity@xxxxxxxxx>
Date: Mon, 08 Jan 2007 19:02:53 +0200
Cc: bugtraq@xxxxxxxxxxxxxxxxx, Web Security <websecurity@xxxxxxxxxxxxx>
In-reply-to: <Pine.LNX.4.64.0701080835450.27722@xxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <6905b1570701021820v7b22961do7226be1bcf04fa57@xxxxxxxxxxxxxx> <459B3C78.2080007@xxxxxxxxx> <459BF2B6.4050807@xxxxxxxxx> <26162adb0701032227i674df796m783f5d1f95c1a7b1@xxxxxxxxxxxxxx> <459D73C4.5060709@xxxxxxxxx> <Pine.LNX.4.64.0701050800480.16727@xxxxxxxxxxxxxxxxxxxx> <459E9611.7050103@xxxxxxxxx> <Pine.LNX.4.64.0701080835450.27722@xxxxxxxxxxxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.7 (Windows/20060909)

RSnake wrote:

The point is - someone with shared IP is vulnerable ONLY to anattacker with the same IP. Which makes attacks much less generic andmuch more painful. Rock solid it ain't, but I think it's a prettygood band-aid until all (hmmm...) clients upgrade to Acrobat Reader 8.0.
-Amit
Sorry for responding late, I've been doing some consulting work.

After talking with some people on my blog I don't believe that is the
case (at least not in theory).  Let's say Alice has an account with
Bob's website.  Cathy is an attacker who owns a website that uses
anti-DNS pinning.

Of course anti-DNS pinning would work against my algorithm, but anti-DNSpinning is a larger problem, one that is out of scope here. I mean - somany things are broken when anti-DNS pinning is introduced... especiallyany IP-based security techniques. Anti-DNS pinning should be solved bybrowser vendors (if possible), regardless of the PDF problem. And at anyrate, I feel that my algorithm makes the attack harder because it forcesit to involve anti-DNS pinning.

Anyway, if you worry about the current anti-DNS pinning techniques, youmay simply serve your PDF files in HTTPS only. I believe this willdefeat the present day anti-DNS pinning techniques (in the sense thatthe user under anti-DNS pinning attack will get a certificate errorbefore being served the PDF).


-Amit

References:
- Universal XSS with PDF files: highly dangerous
  - From: pdp (architect)
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Amit Klein
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Amit Klein
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Amit Klein
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: RSnake
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Amit Klein
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: RSnake

Prev by Date: createauction (cats.asp) Remote SQL Injection Vulnerability
Next by Date: Re: cisco nac bypass vulnerability - cisco trust agent
Previous by thread: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by thread: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Index(es):
- Date
- Thread