Universal XSS through Adobe PDF Plugin - PHP Security Blog

Universal XSS through Adobe PDF Plugin

Wednesday, January 3. 2007

Wednesday, January 3. 2007

It seems at the 23C3 Stefano Di Paola has disclosed a universal XSS vulnerability through the Adobe PDF Plugin. Due to this vulnerability it is possible to launch XSS attacks against any site having PDF files. An example is for example:

http://www.google.com/lib.../.../...5x11.pdf#s=javascript:alert(document.cookie);

The JavaScript is simply injected through a random variable appended to the URL fragment. Because of this vulnerability I strongly advise everyone to disable the use of the Adobe Acrobat PDF plugin in their browser. For firefox you can disable it within the Settings / Content / Filetypes menu. Just change the action performed for PDF, XPDF, FDF and everything else associated with the adobe acrobat plugin.

UPDATE: Just for the record. This issue has been fixed in the latest updates for the Adobe PDF Plugin.This does however not change the fact that the majority of users most probably still run vulnerable versions.

Posted by Stefan Esser in Security, PHP at 10:59

Comments (14)

Link to this post

Comments

Display comments as (Linear | Threaded)

#1 Aaron Wormus wrote (Link) ()

Scary!

posted on Wednesday, January 3. 2007

#2 Anthony wrote (Link) ()

It appears as though this only affects the Firefox PDF plugin. I am unable to replicate this issue in IE7.

posted on Wednesday, January 3. 2007

#3 ... wrote (Link) ()

There's a typo in the heading. Adope.

posted on Wednesday, January 3. 2007

#4 Anti Veeranna ()

Scary indeed, I played with it a while and was able to steal cookies just fine. Only for educational purposes of course

This is fixed in Acrobat version 8 though, which says "this operation is not allowed"

posted on Wednesday, January 3. 2007

#5 Cristian Rodriguez wrote (Link) ()

You can use this on your apache webserver to force the pdf to download

SetEnvIf Request_URI "\.pdf$" requested_pdf=pdf
Header add Content-Disposition "Attachment" env=requested_pdf

wow. scary

posted on Wednesday, January 3. 2007

#5.1 Christian Matthies ()

Well, you as the owner of the website could do a lot of things to force the client to download the file but that doesn't change anything or at least isn't a solution for the client to protect himself (and his cookies).

You can do the same with PHP's header() function.
The only solution to protect yourself is to disable the PDF plugin in Firefox.

Ah I have to admit: obviously you are right. Every webmaster should force a download to protect his visitors/users for XSS / CSRF attacks, but I guess this wasn't Stefan's original intention since he wanted to appeal to users. The other way round would be pretty risky, isn't it?

posted on Wednesday, January 3. 2007

#6 Doubleslash ()

Opening this URL in Firefox with Adobe Acrobat 8 causes the plugin to say: "This operation is not allowed." I enabled Adobe JavaScript and checked the "enable security policies for global object" in the according preferences section.

posted on Wednesday, January 3. 2007

#7 DD32 wrote (Link) ()

Load in IE6 with Version8:
Nothing...

Load it in FF1.5 with Adobe Reader 8 and get "This Operation is now allowed", then the PDF loads

posted on Wednesday, January 3. 2007

#8 mx2 ()

Good work!

posted on Thursday, January 4. 2007

#9 Cd-MaN wrote (Link) ()

One more reason to use the free (!) FoxIt PDF reader: http://www.foxitsoftware.com/pdf/rd_intro.php (or switch directly to Linux, where you have a PDF reader directly in most of the distributions)

posted on Thursday, January 4. 2007

#10 Giancarlo ()

Tha name is wrong, the right one is Stefano Di Paola

http://www.wisec.it/vulns.php?page=9

posted on Friday, January 5. 2007

#11 Christian Matthies wrote (Link) ()

Unfortunately the ha.ckers.org server is currently offline but RSnake blogged about an other issue that comes with this UXSS - pointing the malicious URL to a PDF file on the local file system, which obviously includes the possibility to read local files and similar scary things.

Imagine something like this:
file:///C:/Program%20Files/Adobe/Acrobat%207.0/Resource/ENUtxt.pdf#blah=javascript:alert("XSS");

For the original blog entry, visit:
http://ha.ckers.org/blog/20070103/pdf-xss-can-compromise-your-machine/

posted on Tuesday, January 9. 2007

#12 Tim's domain wrote (Link) ()

I have version 8. I think they fixed the problem.

posted on Saturday, January 13. 2007

#13 james kingsted wrote (Link) ()

I had no idea of this vulnerability. thanks I'm up dating to version 8 of Adobe Acrobat. I think this will solve the problem. I'm just glade that somebody's around to warn people about it! thanks

posted on Monday, April 9. 2007

Add Comment

Name:

Email:

Homepage:

In reply to:

Comment:
Standard emoticons like :-) and ;-) are converted to images.

Remember Information? Subscribe to this entry
Submitted comments will be subject to moderation before being displayed.

Calendar

Archives

August 2008
July 2008
June 2008
Recent...
Older...

Categories

XML

XML

XML

Syndicate This Blog

XML

RSS 0.91 feed

XML

RSS 1.0 feed

XML

RSS 2.0 feed

ATOM/XML

ATOM 0.3 feed

XML

RSS 2.0 Comments

Protected By

Hardening-Patch for PHP