Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

To: RSnake <rsnake@xxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
From: Amit Klein <aksecurity@xxxxxxxxx>
Date: Fri, 05 Jan 2007 20:16:49 +0200
Cc: bugtraq@xxxxxxxxxxxxxxxxx, Web Security <websecurity@xxxxxxxxxxxxx>
In-reply-to: <Pine.LNX.4.64.0701050800480.16727@xxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <6905b1570701021820v7b22961do7226be1bcf04fa57@xxxxxxxxxxxxxx> <459B3C78.2080007@xxxxxxxxx> <459BF2B6.4050807@xxxxxxxxx> <26162adb0701032227i674df796m783f5d1f95c1a7b1@xxxxxxxxxxxxxx> <459D73C4.5060709@xxxxxxxxx> <Pine.LNX.4.64.0701050800480.16727@xxxxxxxxxxxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.7 (Windows/20060909)

RSnake wrote:

2. While thinking more about this solution, I observed that if theattacker can have an "agent" sharing the same IP address with thevictim (by agent I mean an entity that can communicate with thetarget web site and read back its response data), then the algorithmsI suggested will not be effective. Note that an attacker can share IPaddress with the victim when both share a forward proxy (e.g. someuniversities and ISPs), or when the attacker and victim share thesame machine (multi-user environment). Still, that narrows down theattack surface significantly.
It should be noted that this isn't as rare as just a few universities
and ISPs.  This also happens in lots of corporate networks (rogue user
on the internal network),  it happens with lots of internet cafe's, it
happens with AOL (~5MM users) and it happens with TOR users.  So while,
yes, I agree it is better than nothing it is hardly a rock solid
solution for anyone on a shared IP.

The point is - someone with shared IP is vulnerable ONLY to an attackerwith the same IP. Which makes attacks much less generic and much morepainful. Rock solid it ain't, but I think it's a pretty good band-aiduntil all (hmmm...) clients upgrade to Acrobat Reader 8.0.


-Amit

Follow-Ups:
- RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Marvin Simkin
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: RSnake

References:
- Universal XSS with PDF files: highly dangerous
  - From: pdp (architect)
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Amit Klein
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Amit Klein
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Amit Klein
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: RSnake

Prev by Date: RFID open source library - RFIDIOt code release - version 0.1k
Next by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Previous by thread: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by thread: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Index(es):
- Date
- Thread