Loading ...
Sorry, an error occurred while loading the content.

Re: [magicu-l] Re: off-topic: global XSS vulnerability in .pdf

Expand Messages
  • Andreas Sedlmeier
    Well, now we get completely off-topic but this is things I simply don t know how to handle best. How you communicate this issue - if you decide to do - is a
    Message 1 of 8 , Feb 1 12:01 AM
    • 0 Attachment
      Well, now we get completely off-topic but this is things I simply don't know
      how to handle best.

      How you communicate this issue - if you decide to do - is a thing which you
      need to decide.
      In larger companies this is a management decision.
      I did not yet see any warnings so far.

      I am not even sure about the laws. Any lawyers here ?.

      Adobe provides you with enough information to protect your customers against
      the attack and you do not do ?
      Questionable at least. Thats the problem with cross-site scripting. Its a
      bit more complicated than simple phising.
      (When it comes to serious phising companies sometimes/often DO warn)

      A decision of not talking any counter measurements against the vulnerable
      adobe of your customer is probably totally ok.
      What if it is however your site which had the java script on the link
      becasue it did not validate input correctly ?
      HTML mail is only the most direct exploit for this. Your IE is not plain
      text.

      Anyhow ...

      XSS and all the other well-known vulnerabilites caused by invalid input
      validation is a real issue.
      As I wrote ... I collect some information and put in the Wiki. There's need
      to know.

      Its not going to be a new site on web application security but it will name
      and list the issues and give sample and more detailled information if a
      solution is required or possible which you do not find on .asp, .php, or
      "general purpose" websites on this issue. Everybody can edit and add.

      The .pdf issue just scared me because .pdf really starts to be treated as
      html replacement meanwhile.
      Its everywhere and I am not sure if you can disable java script. Disabling
      in IE does not help.

      Best regards,

      Andreas.


      ----- Original Message -----
      From: "craig_martin_magic_programmer" <craig.martin@...>
      To: <magicu-l@yahoogroups.com>
      Sent: Thursday, February 01, 2007 8:39 AM
      Subject: [magicu-l] Re: off-topic: global XSS vulnerability in .pdf


      >
      > The media I read was remarkably quite on the subject, I didn't know
      > about it until you wrote about it here.
      >
      > I'm IE7, don't use html-mail readers (I use outlook express with
      > plain text mails) - I think it's a little bit of overkill for anyone
      > to change their entire site to not host pdf without content-
      > disposition, just make sure clients know to update adobe reader.
      >
      >
      > --- In magicu-l@yahoogroups.com, "Andreas Sedlmeier" <sedlmeier@...>
      > wrote:
      >>
      >> Basically I did not yet try this. I was too busy with "static" .pdf
      > hosted
      >> on sites I am responsible for.
      >> It shouls work as I described. Depends a bit on the browser. As I
      > wrote ...
      >> IE7 does not suffer from this. Its safe.
      >>
      >> Anyhow ... its a real shame. One of the most severe vulnerabilities
      > I am
      >> aware of ... I missed by 3 weeks.
      >> Did you notice this problem when it was publically described
      > January 03 ?
      >>
      >> ----- Original Message -----
      >> From: "craig_martin_magic_programmer" <craig.martin@...>
      >> To: <magicu-l@yahoogroups.com>
      >> Sent: Thursday, February 01, 2007 8:25 AM
      >> Subject: [magicu-l] Re: off-topic: global XSS vulnerability in .pdf
      >>
      >>
      >> >
      >> > Got it, thanks
      >> >
      >> >
      >> > --- In magicu-l@yahoogroups.com, "Andreas Sedlmeier" <sedlmeier@>
      >> > wrote:
      >> >>
      >> >> That depends. You'll stream your .pdf with MIME type pdf because
      >> > you WANT
      >> >> that the pdf opens on client side and not a "files save" dialog.
      >> >> If you know a URL to a Magic application streaming .pdf you
      >> > can "add" java
      >> >> script to the URL.
      >> >>
      >> >> This will completely bypass your session handling and you would
      >> > only be safe
      >> >> if you have a (really) secure session ID on the URL (HTTP GET).
      >> >> Usage of Http GET is however discouraged for other reasons.
      >> >>
      >> >> What I sometimes do (and what I fixed last night) is: I generate
      >> > the pdf on
      >> >> server side and put on disk with a secure filename which nobody
      > can
      >> > guess.
      >> >> As long as this file exists (its usually deleted when connection
      >> > times out
      >> >> or user logs off) a malicious user could forward the link to his
      >> > manager
      >> >> (f.i.) and hijack his session, ...
      >> >> Everything is possible.
      >> >>
      >> >> Meanwhile many people understand that its not good to click one
      >> > every link
      >> >> they see.
      >> >> If it correctly points to craigmartin.com over SSL ? ... they
      >> > maybe do.
      >> >> Who checks the source of html mail before clicking a link and
      > does
      >> > have
      >> >> enough java script and URL obsfucation know-.how to identify the
      >> > attack ?
      >> >> I don't do this (for every click I do ).
      >> >>
      >> >> Basically its not your site which is vulnerable anyway. Its your
      >> > client.
      >> >> Problem is ... the java script will be executed in the security
      >> > context of
      >> >> YOUR side.
      >> >>
      >> >> If you want to help your customers ... better fix, war or
      >> > whatever ....
      >> >> You cannot now if your client has a Adobe version which is
      >> > vulnerable ... or
      >> >> not.
      >> >> Currently I think most users have. Adobe however handled this
      >> > really good
      >> >> and have updates for all vulnerable versions now.
      >> >> No nned to go to 8. You can update 6 and 7 as well.
      >> >>
      >> >> Best Regards,
      >> >>
      >> >> Andreas.
      >> >
      >> >
      >> >
      >> >
      >> >
      >> >
      >> > Yahoo! Groups Links
      >> >
      >> >
      >> >
      >> >
      >>
      >
      >
      >
      >
      >
      > Yahoo! Groups Links
      >
      >
      >
      >
    • Andreas Sedlmeier
      I forgot ... Personally I really would appreciate a big fat red colored waring on my online banking site regarding that. I just would never come there. If I
      Message 2 of 8 , Feb 1 12:24 AM
      • 0 Attachment
        I forgot ...

        Personally I really would appreciate a big fat red colored waring on my
        online banking site regarding that.
        I just would never come there. If I click the URL ... it already happened.

        Check the (slightly modified) "bank of america exploit". (Safe to click,
        nothing will happen besides an alert and I do not even obfuscate this).
        http://www.bankofamerica.com/newsroom/press/pdfs/Paper_Procurement_Policy.pdf#something=javascript:alert('Greetings
        from magicu-l');

        Regards,

        Andreas


        ----- Original Message -----
        From: "Andreas Sedlmeier" <sedlmeier@...>
        To: <magicu-l@yahoogroups.com>
        Sent: Thursday, February 01, 2007 9:01 AM
        Subject: Re: [magicu-l] Re: off-topic: global XSS vulnerability in .pdf


        > Well, now we get completely off-topic but this is things I simply don't
        > know
        > how to handle best.
        >
        > How you communicate this issue - if you decide to do - is a thing which
        > you
        > need to decide.
        > In larger companies this is a management decision.
        > I did not yet see any warnings so far.
        >
        > I am not even sure about the laws. Any lawyers here ?.
        >
        > Adobe provides you with enough information to protect your customers
        > against
        > the attack and you do not do ?
        > Questionable at least. Thats the problem with cross-site scripting. Its a
        > bit more complicated than simple phising.
        > (When it comes to serious phising companies sometimes/often DO warn)
        >
        > A decision of not talking any counter measurements against the vulnerable
        > adobe of your customer is probably totally ok.
        > What if it is however your site which had the java script on the link
        > becasue it did not validate input correctly ?
        > HTML mail is only the most direct exploit for this. Your IE is not plain
        > text.
        >
        > Anyhow ...
        >
        > XSS and all the other well-known vulnerabilites caused by invalid input
        > validation is a real issue.
        > As I wrote ... I collect some information and put in the Wiki. There's
        > need
        > to know.
        >
        > Its not going to be a new site on web application security but it will
        > name
        > and list the issues and give sample and more detailled information if a
        > solution is required or possible which you do not find on .asp, .php, or
        > "general purpose" websites on this issue. Everybody can edit and add.
        >
        > The .pdf issue just scared me because .pdf really starts to be treated as
        > html replacement meanwhile.
        > Its everywhere and I am not sure if you can disable java script. Disabling
        > in IE does not help.
        >
        > Best regards,
        >
        > Andreas.
        >
        >
        > ----- Original Message -----
        > From: "craig_martin_magic_programmer" <craig.martin@...>
        > To: <magicu-l@yahoogroups.com>
        > Sent: Thursday, February 01, 2007 8:39 AM
        > Subject: [magicu-l] Re: off-topic: global XSS vulnerability in .pdf
        >
        >
        >>
        >> The media I read was remarkably quite on the subject, I didn't know
        >> about it until you wrote about it here.
        >>
        >> I'm IE7, don't use html-mail readers (I use outlook express with
        >> plain text mails) - I think it's a little bit of overkill for anyone
        >> to change their entire site to not host pdf without content-
        >> disposition, just make sure clients know to update adobe reader.
        >>
        >>
        >> --- In magicu-l@yahoogroups.com, "Andreas Sedlmeier" <sedlmeier@...>
        >> wrote:
        >>>
        >>> Basically I did not yet try this. I was too busy with "static" .pdf
        >> hosted
        >>> on sites I am responsible for.
        >>> It shouls work as I described. Depends a bit on the browser. As I
        >> wrote ...
        >>> IE7 does not suffer from this. Its safe.
        >>>
        >>> Anyhow ... its a real shame. One of the most severe vulnerabilities
        >> I am
        >>> aware of ... I missed by 3 weeks.
        >>> Did you notice this problem when it was publically described
        >> January 03 ?
        >>>
        >>> ----- Original Message -----
        >>> From: "craig_martin_magic_programmer" <craig.martin@...>
        >>> To: <magicu-l@yahoogroups.com>
        >>> Sent: Thursday, February 01, 2007 8:25 AM
        >>> Subject: [magicu-l] Re: off-topic: global XSS vulnerability in .pdf
        >>>
        >>>
        >>> >
        >>> > Got it, thanks
        >>> >
        >>> >
        >>> > --- In magicu-l@yahoogroups.com, "Andreas Sedlmeier" <sedlmeier@>
        >>> > wrote:
        >>> >>
        >>> >> That depends. You'll stream your .pdf with MIME type pdf because
        >>> > you WANT
        >>> >> that the pdf opens on client side and not a "files save" dialog.
        >>> >> If you know a URL to a Magic application streaming .pdf you
        >>> > can "add" java
        >>> >> script to the URL.
        >>> >>
        >>> >> This will completely bypass your session handling and you would
        >>> > only be safe
        >>> >> if you have a (really) secure session ID on the URL (HTTP GET).
        >>> >> Usage of Http GET is however discouraged for other reasons.
        >>> >>
        >>> >> What I sometimes do (and what I fixed last night) is: I generate
        >>> > the pdf on
        >>> >> server side and put on disk with a secure filename which nobody
        >> can
        >>> > guess.
        >>> >> As long as this file exists (its usually deleted when connection
        >>> > times out
        >>> >> or user logs off) a malicious user could forward the link to his
        >>> > manager
        >>> >> (f.i.) and hijack his session, ...
        >>> >> Everything is possible.
        >>> >>
        >>> >> Meanwhile many people understand that its not good to click one
        >>> > every link
        >>> >> they see.
        >>> >> If it correctly points to craigmartin.com over SSL ? ... they
        >>> > maybe do.
        >>> >> Who checks the source of html mail before clicking a link and
        >> does
        >>> > have
        >>> >> enough java script and URL obsfucation know-.how to identify the
        >>> > attack ?
        >>> >> I don't do this (for every click I do ).
        >>> >>
        >>> >> Basically its not your site which is vulnerable anyway. Its your
        >>> > client.
        >>> >> Problem is ... the java script will be executed in the security
        >>> > context of
        >>> >> YOUR side.
        >>> >>
        >>> >> If you want to help your customers ... better fix, war or
        >>> > whatever ....
        >>> >> You cannot now if your client has a Adobe version which is
        >>> > vulnerable ... or
        >>> >> not.
        >>> >> Currently I think most users have. Adobe however handled this
        >>> > really good
        >>> >> and have updates for all vulnerable versions now.
        >>> >> No nned to go to 8. You can update 6 and 7 as well.
        >>> >>
        >>> >> Best Regards,
        >>> >>
        >>> >> Andreas.
        >>> >
        >>> >
        >>> >
        >>> >
        >>> >
        >>> >
        >>> > Yahoo! Groups Links
        >>> >
        >>> >
        >>> >
        >>> >
        >>>
        >>
        >>
        >>
        >>
        >>
        >> Yahoo! Groups Links
        >>
        >>
        >>
        >>
        >
        >
        >
        >
        > Yahoo! Groups Links
        >
        >
        >
        >
      Your message has been successfully submitted and would be delivered to recipients shortly.