[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6905b1570701041345h18c90d33m9bdbfe7cb3c4fd68@mail.gmail.com>
Date: Thu, 4 Jan 2007 21:45:30 +0000
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: "Billy Hoffman" <Billy.Hoffman@...dynamics.com>
Cc: "Ory Segal" <osegal@...chfire.com>, skarvin <skarvin@...il.com>,
bugtraq@...urityfocus.com, websecurity@...appsec.org
Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
also, you can use TinyURL to hide entire attack vectors. For example,
the following link contains a harmless exploit (alert message box) for
Google:
http://tinyurl.com/t8h4q
more about this issue here:
http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/
On 1/4/07, Billy Hoffman <Billy.Hoffman@...dynamics.com> wrote:
>
>
>
>
> I think I get what Skarvin is saying. Hopeful we all know that fragments are
> not sent with the request, so you cannot stop yourself from serving a PDF
> that's about to execute JS code in a fragment. However, social sites and
> forum sites can scan their site to see if any user supplied links point to a
> PDF with a malicious looking fragment. At the very least they can make sure
> they are not being an accomplice to an attack. Of course, some people server
> PDF's through file portals (file.php?file=foo.pdf) or use other things that
> makes it hard to see if a hyperlink serves a PDF or not.
>
>
>
>
> Billy Hoffman
>
> --
>
> Lead Researcher, SPI Labs
>
> SPI Dynamics Inc. – http://www.spidynamics.com
>
> Phone: 678-781-4800
>
> Direct: 678-781-4845
>
> ________________________________
>
>
> From: Ory Segal [mailto:osegal@...chfire.com]
> Sent: Thursday, January 04, 2007 3:40 PM
> To: skarvin
> Cc: bugtraq@...urityfocus.com; websecurity@...appsec.org
> Subject: RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
>
>
>
>
>
> Hi Skarvin,
>
>
>
>
>
> When you click on a link that contains a fragment in it, the browser does
> not send that part (everything after the # symbol - including the symbol
> itself), to the server. For example:
>
>
>
>
>
> http://www.some.site/page.html#abc , when clicked, will
> send the following request:
>
>
>
>
>
> GET /page.html HTTP/1.0
>
>
> Host: www.some.site
>
>
> ...
>
>
>
>
>
> So any server side filtering of '#' won't work.
>
>
>
>
>
> -Ory Segal
>
>
> www.watchfire.com
>
>
>
>
>
>
>
>
>
>
>
> ________________________________
>
>
> From: skarvin [mailto:skarvin@...il.com]
> Sent: Thursday, January 04, 2007 10:07 PM
> To: Billy Hoffman
> Cc: bugtraq@...urityfocus.com; websecurity@...appsec.org
> Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
>
> Hello Billy,
>
> If I write a rule that filters all url with this character --> # in it's
> content I think that the problem is solved, but is my opinion.
>
>
> Best regards.
>
>
> 2007/1/4, Billy Hoffman <Billy.Hoffman@...dynamics.com>:
>
>
>
> You cannot filter this URLs, because a URL fragment denotes something inside
> of a resource. The server doesn't care what the fragment it. The HTTP
> request sent when you click on a URL with a fragment doesn't contain the
> fragment at all. This means a site cannot even implement a web application
> firewall or IDS rule to not serve a PDF. They can't tell the different
> between a PDF requested for legitimate reasons or a PDF requested as part of
> an attack.
>
>
>
> Short of removing all PDF's from a website, that site cannot ensure they are
> acting as an accomplice to exploit a user.
>
>
>
> Fun times,
>
>
> Billy Hoffman
>
> --
>
> Lead Researcher, SPI Labs
>
> SPI Dynamics Inc. – http://www.spidynamics.com
>
> Phone: 678-781-4800
>
> Direct: 678-781-4845
>
> ________________________________
>
>
> From: skarvin [mailto:skarvin@...il.com]
> Sent: Thursday, January 04, 2007 4:04 AM
> To: bugtraq@...urityfocus.com; websecurity@...appsec.org
> Subject: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
>
>
>
>
> Hi all,
>
> Another possible solution is to use the Apache mod_security to filter that
> kind of urls.
>
> bye
>
>
> 2007/1/4, pdp (architect) < pdp.gnucitizen@...glemail.com>:
>
> ahhh, fragment identifiers make sense to browsers only. they are not
> send to the server
>
> On 1/4/07, der wert <derwert@...mail.com> wrote:
> >
> > The best solution I see would be to keep all pdf files in a non-web
> > accessible location on the web server, then have all the pdf files
> outputed
> > through a script such as a php script. In php you can check the what the
> > REQUEST_URI is, if it isn't equal to what you were expecting which would
> > mean extra parameters were taken away or added then you could just have
> the
> > php script not output the pdf file since that would mean someone had been
> > tampering with the URI.
> >
> > D
> >
> > ________________________________
> > Get free, personalized online radio with MSN Radio powered by Pandora.
> Try
> > it!
>
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>
>
> --
> Un saludo,
>
> This message was written entirely with recycled electrons.
>
> blog: http://skarvin.blogspot.com
> main(){int j=1234;char
> t[]=":@abcdefghijklmnopqrstuvwxyz.\n",*i=
> "iqgbgxmsuspcpdofeqgbnek.";char *strchr(const char *,int);while(
> *i){j+=strchr(t,*i++)-t;j%=sizeof t-1;putchar(t[j]);}
> return 0;}
>
> skarvin
>
>
>
>
> --
> Un saludo,
>
> This message was written entirely with recycled electrons.
>
> blog: http://skarvin.blogspot.com
> main(){int j=1234;char
> t[]=":@abcdefghijklmnopqrstuvwxyz.\n",*i=
> "iqgbgxmsuspcpdofeqgbnek.";char *strchr(const char *,int);while(
> *i){j+=strchr(t,*i++)-t;j%=sizeof t-1;putchar(t[j]);}
> return 0;}
>
> skarvin
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
Powered by blists - more mailing lists