lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 4 Jan 2007 10:49:00 -0800 (PST)
From: RSnake <rsnake@...cking.com>
To: "Noe Espinoza M." <nespinoza@...powissen.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	"'pdp \(architect\)'" <pdp.gnucitizen@...glemail.com>,
	'Web Security' <websecurity@...appsec.org>
Subject: Re: [WEB SECURITY] RE: Universal PDF XSS After
	Party(posible solution)


Be careful using either of those.  REQUEST_URI can contain anything:

http://example.com/file.pdf?whatever#vectorgoeshere

For that example the request URI will be ..pathto..file.pdf?whatever
which does not match "\.pdf$".  Likewise the second one has issues,
including the fact that referrers are not always present (Zonelabs Zone
Alarm Pro, and both Norton Internet Security and Norton Personal
Firewall).  Also, referrers are spoofable using Flash.
http://ha.ckers.org/blog/20060725/forging-http-request-headers-with-flash/
(hat tip to Amit).


-RSnake
http://ha.ckers.org/
http://sla.ckers.org/
http://ha.ckers.org/fierce/

On Thu, 4 Jan 2007, Noe Espinoza M. wrote:

> We need to force to the users do download  the pdf files
>
> And we can add to the httpd.conf or .htaccess the next code
>
> SetEnvIf Request_URI "\.pdf$" requested_pdf=pdf
> Header add Content-Disposition "Attachment" env=requested_pdf
>
>
> Other solution is protect our pdf files to external links (hotlinking)
>
> Add in .htacces
>
> RewriteEngine on
> RewriteCond %{HTTP_REFERER} !^$
> RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?example\.com[NC]
> RewriteRule .*\.(pdf)$ http://www.example.com/images/noexternal.gif [R,NC,L]
>
>
> Source from
> http://seguinfo.blogspot.com/2007/01/hacking-con-browser-plugins.html
>
>
>
> -----Mensaje original-----
> De: pdp (architect) [mailto:pdp.gnucitizen@...glemail.com]
> Enviado el: jueves, 04 de enero de 2007 7:17
> Para: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com; Web
> Security
> Asunto: Universal PDF XSS After Party
>
> Everybody knows about it. Everybody talks about it. We had a nice
> party. It is time for estimating the damages. In this article I will
> try to show the impact of the Universal PDF XSS vulnerability by
> explaining how it can be used in real life situations.
>
> http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/
>
> -- 
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ