lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0701040948170.4686@fingers.shocking.com>
Date: Thu, 4 Jan 2007 09:53:44 -0800 (PST)
From: RSnake <rsnake@...cking.com>
To: Billy Hoffman <Billy.Hoffman@...dynamics.com>
Cc: skarvin <skarvin@...il.com>, bugtraq@...urityfocus.com,
	websecurity@...appsec.org
Subject: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous


That's correct.  In doing some quick tests you can mitigate this if you
take the URL (let's say http://site.com/file.pdf) and 301 them to the
same file with an empty anchor tag:  http://site.com/file.pdf#

Of course that would cause an infinite loop since the empty anchor tag
is not visible to the webserver so the unique token is still required.

-RSnake
http://ha.ckers.org/
http://sla.ckers.org/
http://ha.ckers.org/fierce/

On Thu, 4 Jan 2007, Billy Hoffman wrote:

> You cannot filter this URLs, because a URL fragment denotes something
> inside of a resource. The server doesn't care what the fragment it. The
> HTTP request sent when you click on a URL with a fragment doesn't
> contain the fragment at all. This means a site cannot even implement a
> web application firewall or IDS rule to not serve a PDF. They can't tell
> the different between a PDF requested for legitimate reasons or a PDF
> requested as part of an attack.
>
>
>
> Short of removing all PDF's from a website, that site cannot ensure they
> are acting as an accomplice to exploit a user.
>
>
>
> Fun times,
>
> Billy Hoffman
>
> --
>
> Lead Researcher, SPI Labs
>
> SPI Dynamics Inc. - http://www.spidynamics.com
> <http://www.spidynamics.com/>
>
> Phone:  678-781-4800
>
> Direct:   678-781-4845
>
> ________________________________
>
> From: skarvin [mailto:skarvin@...il.com]
> Sent: Thursday, January 04, 2007 4:04 AM
> To: bugtraq@...urityfocus.com; websecurity@...appsec.org
> Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly
> dangerous
>
>
>
> Hi all,
>
> Another possible solution is to use the Apache mod_security to filter
> that kind of urls.
>
> bye
>
> 2007/1/4, pdp (architect) < pdp.gnucitizen@...glemail.com
> <mailto:pdp.gnucitizen@...glemail.com> >:
>
> ahhh, fragment identifiers make sense to browsers only. they are not
> send to the server
>
> On 1/4/07, der wert <derwert@...mail.com> wrote:
>>
>> The best solution I see would be to keep all pdf files in a non-web
>> accessible location on the web server, then have all the pdf files
> outputed
>> through a script such as a php script. In php you can check the what
> the
>> REQUEST_URI is, if it isn't equal to what you were expecting which
> would
>> mean extra parameters were taken away or added then you could just
> have the
>> php script not output the pdf file since that would mean someone had
> been
>> tampering with the URI.
>>
>> D
>>
>> ________________________________
>> Get free, personalized online radio with MSN Radio powered by Pandora.
> Try
>> it!
>
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>
> ------------------------------------------------------------------------
> ----
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>
>
> -- 
> Un saludo,
>
> This message was written entirely with recycled electrons.
>
> blog: http://skarvin.blogspot.com
> main(){int j=1234;char t[]=":@abcdefghijklmnopqrstuvwxyz.\n",*i=
> "iqgbgxmsuspcpdofeqgbnek.";char *strchr(const char *,int);while(
> *i){j+=strchr(t,*i++)-t;j%=sizeof t-1;putchar(t[j]);} return 0;}
>
> skarvin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ