[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070108183206.6941.qmail@securityfocus.com>
Date: 8 Jan 2007 18:32:06 -0000
From: rudeyak@...oo.com
To: bugtraq@...urityfocus.com
Subject: Re: Re: Re: [WEB SECURITY] Universal XSS with PDF files: highly
dangerous
A correction to my previous post: since THE_REQUEST looks like "GET /foo/bar/baz.pdf HTTP/1.0", the regex used needs to match the space between "pdf" and "HTTP", so this mod works better:
RewriteCond %{THE_REQUEST} .*\.pdf[^\wA-Za-z0-9._?&%-]
Again, YMMV depending on what characters you expect to be valid trailing ".pdf" in your application.
Powered by blists - more mailing lists