[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
- To: RSnake <rsnake@xxxxxxxxxxxx>
- Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
- From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
- Date: Mon, 8 Jan 2007 14:06:34 -0500
Someone (I believe RSnake) pointed out that many browser machines have
PDF files in predictable locations that can be accessed via file://
links. That lets an attacker gain local javascript execution. At one
point Firefox had a rule restricting http:// and https:// web pages
from accessing file:// links. Does that rule still exist, and if so
does it mitigate the risk posed to firefox users?
Regards,
Brian