[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous



also, you can use TinyURL to hide entire attack vectors. For example,
the following link contains a harmless exploit (alert message box) for
Google:
http://tinyurl.com/t8h4q

more about this issue here:
http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/

On 1/4/07, Billy Hoffman <Billy.Hoffman@xxxxxxxxxxxxxxx> wrote:




I think I get what Skarvin is saying. Hopeful we all know that fragments are
not sent with the request, so you cannot stop yourself from serving a PDF
that's about to execute JS code in a fragment. However, social sites and
forum sites can scan their site to see if any user supplied links point to a
PDF with a malicious looking fragment. At the very least they can make sure
they are not being an accomplice to an attack. Of course, some people server
PDF's through file portals (file.php?file=foo.pdf) or use other things that
makes it hard to see if a hyperlink serves a PDF or not.




Billy Hoffman

--

Lead Researcher, SPI Labs

SPI Dynamics Inc. – http://www.spidynamics.com

Phone:  678-781-4800

Direct:   678-781-4845

 ________________________________


From: Ory Segal [mailto:osegal@xxxxxxxxxxxxx]
 Sent: Thursday, January 04, 2007 3:40 PM
 To: skarvin
 Cc: bugtraq@xxxxxxxxxxxxxxxxx; websecurity@xxxxxxxxxxxxx
 Subject: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous





Hi Skarvin,





When you click on a link that contains a fragment in it, the browser does
not send that part (everything after the # symbol - including the symbol
itself), to the server. For example:





http://www.some.site/page.html#abc , when clicked, will
send the following request:





GET /page.html HTTP/1.0


Host: www.some.site


...





So any server side filtering of '#' won't work.





-Ory Segal


www.watchfire.com











 ________________________________


From: skarvin [mailto:skarvin@xxxxxxxxx]
 Sent: Thursday, January 04, 2007 10:07 PM
 To: Billy Hoffman
 Cc: bugtraq@xxxxxxxxxxxxxxxxx; websecurity@xxxxxxxxxxxxx
 Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

Hello Billy,

 If I write a rule that filters all url with this character --> # in it's
content I think that the problem is solved, but is my opinion.


 Best regards.


2007/1/4, Billy Hoffman <Billy.Hoffman@xxxxxxxxxxxxxxx>:



You cannot filter this URLs, because a URL fragment denotes something inside
of a resource. The server doesn't care what the fragment it. The HTTP
request sent when you click on a URL with a fragment doesn't contain the
fragment at all. This means a site cannot even implement a web application
firewall or IDS rule to not serve a PDF. They can't tell the different
between a PDF requested for legitimate reasons or a PDF requested as part of
an attack.



Short of removing all PDF's from a website, that site cannot ensure they are
acting as an accomplice to exploit a user.



Fun times,


Billy Hoffman

--

Lead Researcher, SPI Labs

SPI Dynamics Inc. – http://www.spidynamics.com

Phone:  678-781-4800

Direct:   678-781-4845

 ________________________________


From: skarvin [mailto:skarvin@xxxxxxxxx]
 Sent: Thursday, January 04, 2007 4:04 AM
 To: bugtraq@xxxxxxxxxxxxxxxxx; websecurity@xxxxxxxxxxxxx
 Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous




Hi all,

 Another possible solution is to use the Apache mod_security to filter that
kind of urls.

 bye


2007/1/4, pdp (architect) < pdp.gnucitizen@xxxxxxxxxxxxxx>:

ahhh, fragment identifiers make sense to browsers only. they are not
 send to the server

 On 1/4/07, der wert <derwert@xxxxxxxxxxx> wrote:
 >
 > The best solution I see would be to keep all pdf files in a non-web
 > accessible location on the web server, then have all the pdf files
outputed
 > through a script such as a php script. In php you can check the what the
 > REQUEST_URI is, if it isn't equal to what you were expecting which would
 > mean extra parameters were taken away or added then you could just have
the
 > php script not output the pdf file since that would mean someone had been
 > tampering with the URI.
 >
 > D
 >
 > ________________________________
 > Get free, personalized online radio with MSN Radio powered by Pandora.
Try
 > it!


 --
 pdp (architect) | petko d. petkov
 http://www.gnucitizen.org

----------------------------------------------------------------------------
 The Web Security Mailing List:
 http://www.webappsec.org/lists/websecurity/

 The Web Security Mailing List Archives:
 http://www.webappsec.org/lists/websecurity/archive/
 http://www.webappsec.org/rss/websecurity.rss [RSS Feed]




 --
 Un saludo,

 This message was written entirely with recycled electrons.

 blog: http://skarvin.blogspot.com
 main(){int j=1234;char
t[]=":@abcdefghijklmnopqrstuvwxyz.\n",*i=
 "iqgbgxmsuspcpdofeqgbnek.";char *strchr(const char *,int);while(
 *i){j+=strchr(t,*i++)-t;j%=sizeof t-1;putchar(t[j]);}
return 0;}

 skarvin




 --
 Un saludo,

 This message was written entirely with recycled electrons.

 blog: http://skarvin.blogspot.com
 main(){int j=1234;char
t[]=":@abcdefghijklmnopqrstuvwxyz.\n",*i=
 "iqgbgxmsuspcpdofeqgbnek.";char *strchr(const char *,int);while(
 *i){j+=strchr(t,*i++)-t;j%=sizeof t-1;putchar(t[j]);}
return 0;}

 skarvin


--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org