[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000401c7302d$c85f5160$313340c8@systester>
Date: Thu, 4 Jan 2007 12:25:46 -0600
From: "Noe Espinoza M." <nespinoza@...powissen.com>
To: "'pdp (architect)'" <pdp.gnucitizen@...glemail.com>,
<full-disclosure@...ts.grok.org.uk>, <bugtraq@...urityfocus.com>,
"'Web Security'" <websecurity@...appsec.org>
Subject: RE: Universal PDF XSS After Party(posible solution)
We need to force to the users do download the pdf files
And we can add to the httpd.conf or .htaccess the next code
SetEnvIf Request_URI "\.pdf$" requested_pdf=pdf
Header add Content-Disposition "Attachment" env=requested_pdf
Other solution is protect our pdf files to external links (hotlinking)
Add in .htacces
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?example\.com[NC]
RewriteRule .*\.(pdf)$ http://www.example.com/images/noexternal.gif [R,NC,L]
Source from
http://seguinfo.blogspot.com/2007/01/hacking-con-browser-plugins.html
-----Mensaje original-----
De: pdp (architect) [mailto:pdp.gnucitizen@...glemail.com]
Enviado el: jueves, 04 de enero de 2007 7:17
Para: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com; Web
Security
Asunto: Universal PDF XSS After Party
Everybody knows about it. Everybody talks about it. We had a nice
party. It is time for estimating the damages. In this article I will
try to show the impact of the Universal PDF XSS vulnerability by
explaining how it can be used in real life situations.
http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
Powered by blists - more mailing lists