RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

Subject: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
From: "Marvin Simkin" <Marvin.Simkin@xxxxxxx>
Date: Tue, 9 Jan 2007 14:13:48 -0700
Cc: <bugtraq@xxxxxxxxxxxxxxxxx>, "Web Security" <websecurity@xxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <6905b1570701021820v7b22961do7226be1bcf04fa57@xxxxxxxxxxxxxx> <459B3C78.2080007@xxxxxxxxx> <459BF2B6.4050807@xxxxxxxxx> <26162adb0701032227i674df796m783f5d1f95c1a7b1@xxxxxxxxxxxxxx> <459D73C4.5060709@xxxxxxxxx> <Pine.LNX.4.64.0701050800480.16727@xxxxxxxxxxxxxxxxxxxx> <459E9611.7050103@xxxxxxxxx>
Thread-index: AcczlT32iwSL2qJsTuupvXsYFg7LjgAnMxs3
Thread-topic: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

> From: Amit Klein [mailto:aksecurity@xxxxxxxxx]
> I think it's a pretty good band-aid until all (hmmm...) clients upgrade to 
> Acrobat Reader 8.0.

I can't find (on 
http://www.adobe.com/products/acrobat/readstep2_allversions.html) Acrobat 
Reader 8.0 for any flavor of Unix, nor for Mac prior to OS 10.4. Since these 
platforms may have browsers that may execute JavaScript, couldn't (for example) 
a cookie-stealing exploit work on them too? Thus am I correctly understanding 
that this is currently unpatched for everyone but Windows and Mac 10.4?

Marvin Simkin

Follow-Ups:
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Ralph Angenendt

References:
- Universal XSS with PDF files: highly dangerous
  - From: pdp (architect)
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Amit Klein
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Amit Klein
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Amit Klein
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: RSnake
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
  - From: Amit Klein

Prev by Date: Re: a cheesy Apache / IIS DoS vuln (+a question)
Next by Date: Easy Banner Pro Version 2.8 <= Remote File Inclusion
Previous by thread: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by thread: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Index(es):
- Date
- Thread