Acrobat Reader suffers major XSS flaw

Discussion in 'Forum for discussion of ANTICHAT' started by Sn@k3, 5 Jan 2007.

  1. Sn@k3

    Sn@k3 Elder - Старейшина

    Joined:
    13 Apr 2006
    Messages:
    1,000
    Likes Received:
    437
    Reputations:
    90
    An ill-conceived feature in the widely used Acrobat Reader renders many websites vulnerable to client Cross Site Scripting. The flaw requires user action but is easily exploited in numerous ways.

    The Universal PDF XSS flaw was discovered by Stefano Di Paola and Giorgio Fedon, and uses a feature known as "Open Parameters" in Acrobat Reader to permit Cross Site Scripting with JavaScript injection. Symantec's Hon Lau has written a good blog entry on the issue. And GNUCITIZEN has published an excellent tutorial on using XSS with JavaScript to exploit a vulnerable client, helping the public become more aware of the dangers and ease with which this flaw can be exploited. Social networking websites and all others that use SessionIDs are particularly vulnerable to this attack.

    The XSS flaw affects Acrobat Reader 7 and prior versions on both Internet Explorer and Firefox for Windows. Vulnerable users are advised to either disable JavaScript, upgrade to Acrobat Reader 8, or use an alternative PDF reader or plug-in for their browser of choice.

    securityfocus.com
     
  2. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,035
    Reputations:
    1,065
    http://server/file.pdf#lalala=javascript:alert('xss')
     
    _________________________
  3. Sn@k3

    Sn@k3 Elder - Старейшина

    Joined:
    13 Apr 2006
    Messages:
    1,000
    Likes Received:
    437
    Reputations:
    90
    =) oh...
     
Loading...