| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Nov 2009 20:06:40 +1100 From: Patrick Webster <sflist@...hack.com> To: "Thor (Hammer of God)" <thor@...merofgod.com> Cc: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com> Subject: Re: Millions of PDF invisibly embedded with your internal disk paths I agree. Discovering the local path may be considered a risk, but in most cases the risk is nil. Consider compiled binaries. They also leak paths of the developer's compile environment (mainly PDB - http://support.microsoft.com/kb/121366). E.g. My firefox.exe is: e:\builds\moz2_slave\win32_build\build\obj-firefox\browser\app\firefox.pdb This reminds me of the iPhone worm. Everyone knew about the default root password years ago... it is not like people weren't already scanning for gaolbroken phones before worms were released >:) Then again, the worm brought attention to the fact. PDF's are mainly used for two reasons: 1) Prevent end-user modification 2) Because Microsoft Word conceals information & tracks changes etc, and too many government & enterprise organisations have been bitten by it that PDF is a rule of thumb. At least in my experience. Considering that, perhaps for the PDF format specifically this could be an issue, under the assumption that consumers use PDF /specifically/ to prevent data leakage. -Patrick
Powered by blists - more mailing lists