« Firebug public beta 1.0
Your video channel »

Depressive Developer

January 5th, 2007 by teemow

This is just a repost of Mario’s blogpost, translated from german to english:

Since the PDF XSS - or UXSS (Universal XSS) - caused a lot of noise, RSnake (ha.ckers.org) posted a POC which uses defaultfiles of Acrobat Reader. The file ENUtxt.pdf is on nearly all systems with Acrobat.

With the local context of the javascript, Firefox accepts XHR on local files. So with the link at the bottom you can access local files of a visitor from every website. This is a complete security desaster.

You can fix this issue with the latest version of the Acrobat Reader (8.0). Hopefully there also is a Firefox update soon. To stop the ‘Acrobat Javascript’ feature doesn’t work - Javascript in PDFs OMFG!

Alert my hosts file

I couldn’t resist reposting this sexy kind of link :) thanx to mario for this highlight.


Similar Posts:

This entry was posted on Friday, January 5th, 2007 at 2:25 pm and is filed under javascript, pdf, security, xss. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

2 Responses to “Depressive Developer”

  1. Oliver Thylmann Says:
    January 5th, 2007 at 3:22 pm

    thank god I have a mac :)

  2. .mario Says:
    January 6th, 2007 at 3:38 am

    thank god the friggin black hat dev will be in yer team in february; still counting the days… ;)

Leave a Reply


authimage