« December 2006 | Main | April 2007 »

January 2007 Archives


January 3, 2007

Don't click those PDF links

I just got pointed to a couple of interesting posts on cross site scripting using plugins and other things that are on the user's system. The most interesting was a blog posting yesterday on Disenchant's blog on how to use the Adobe Acrobat plugin to perform cross site scripting using any pdf file found on the website. A URL of the following format:

http://some.random.site.com/foo.pdf#something=javascript:alert(123);

Will execute the script. I also got pointed to another followup of the same issue on the Gnucitizen blog.

I'm going to have a look into this issue and find out some combinations of where this issue is exploitable, and any where it isn't (if any). More to follow...

Edit: So far confirmed as working on the following combinations:

  • Firefox / Adobe Acrobat Reader plugin / Windows XP SP2
  • IE6 / Adobe Acrobat 6 (Pro) plugin / Windows XP SP2
  • Firefox / Adobe Acrobat Reader plugin / Linux

Tags:

Found this useful? Then Digg It.

Posted by Justin Clarke on January 3, 2007 8:50 AM | | Comments (1)


Search

Google
Web justinclarke

About January 2007

This page contains all entries posted to justinclarke.com in January 2007. They are listed from oldest to newest.

December 2006 is the previous archive.

April 2007 is the next archive.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type 3.36

Valid XHTML 1.0!