lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 4 Jan 2007 08:09:38 +0000
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: "der wert" <derwert@...mail.com>
Cc: bugtraq@...urityfocus.com, websecurity@...appsec.org
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

ahhh, fragment identifiers make sense to browsers only. they are not
send to the server

On 1/4/07, der wert <derwert@...mail.com> wrote:
>
> The best solution I see would be to keep all pdf files in a non-web
> accessible location on the web server, then have all the pdf files outputed
> through a script such as a php script. In php you can check the what the
> REQUEST_URI is, if it isn't equal to what you were expecting which would
> mean extra parameters were taken away or added then you could just have the
> php script not output the pdf file since that would mean someone had been
> tampering with the URI.
>
> D
>
> ________________________________
> Get free, personalized online radio with MSN Radio powered by Pandora. Try
> it!


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ