evan_tech -- universal pdf xss

01:25 pm, 3 Jan 07

universal pdf xss

Reportedly, any site hosting a PDF has an XSS exploit. The link has example XSS on Google, Microsoft, Bank of America(!), and others.

I anticipate a great flushing sound as every site removes all of their PDFs.

Update: it occurs to me that you could probably also fix this with a mod_rewrite (or equivalent) rule that 403's all parameters to PDF urls. Update2:

supersat points out that won't work.

[via

halkeye]

zenspider	apparently that exploit is plugin specific as it doesn't repro in safari.
reply to this

Anonymous
reply to this

evan	Last I checked, stupid reader would try to update itself multiple times a day. Anyway, any reasonably security-paranoid site can't risk XSS'ing users that haven't autoupdated...
reply to this

halkeye I did read its fixed in 8 (they found it themselves before this hit the net), but the auto-update system doesn't seem to try to goto 8, just 7.0.8.

reply to this

strspn Will Gmail be similarly abandoned en masse?

reply to this
- evan The difference is that gmail can be fixed for all users, while PDFs are now broken for the rest of history.
  
  reply to this
  - Anonymous Indeed. Apparently. Why won't Adobe's autoupdate jump to v.8?
    
    reply to this

Anonymous	The problem with using something like mod_rewrite to plug this hole is that like HTML anchors, nothing past the # (or even the # itself) is sent to the server. I suppose something that might work is checking to see if the Referer header is from a trusted domain, and do some sort of automatic redirection if it isn't.
reply to this

supersat Grumble. LJ logged me out. ;)

reply to this

halkeye	http://ha.ckers.org/blog/20070103/pdf-xss-can-compromise-your-machine/ it gets worse... And you can apparently fix it if you force a download with content-disposition: attachment (did i spell that right?)
reply to this

evan	Is that really worse? I think it's not harmful to run arbitrary JS on the file:/// context (?) because nothing else runs there.
reply to this

halkeye	i guess it depends on your setup. I can imagine default security settings for local files being much lower than websites. I know sysadmins (for windows) can access all kinds of things and write them to disk. Couldn't this mean you could write worms directly to the hd and startup sections?
reply to this

Anonymous
reply to this

evan	I was thinking about this redirecting scheme too. But maybe you could do something simpler, like make a "pdfs.mysite.com" and rewrite all pdf mimetype URLs into a redirect there. (I don't know enough about cookies to know whether you can restrict cookies appropriately to not be accessible from a subdomain, but surely LJ does something like this.)
reply to this

halkeye	i'm fairly certain it works the other way mysite.com cookies work on pdf.mysite.com but if you setup your cookies for www.mysite.com they won't work on pdf.mysite.com
reply to this

halkeye	I did read its fixed in 8 (they found it themselves before this hit the net), but the auto-update system doesn't seem to try to goto 8, just 7.0.8.
reply to this

strspn	Will Gmail be similarly abandoned en masse?
reply to this

evan	The difference is that gmail can be fixed for all users, while PDFs are now broken for the rest of history.
reply to this

Anonymous	Indeed. Apparently. Why won't Adobe's autoupdate jump to v.8?
reply to this

supersat	Grumble. LJ logged me out. ;)
reply to this