Comments on: Hacking with Browser Plugins

By: Rajesh

Rajesh — Sun, 14 Sep 2008 04:11:45 +0000

nice article….i really like ur site….
http://rajeshhackingarticles.blogspot.com

By: Disenchant

Disenchant — Fri, 20 Apr 2007 23:47:48 +0000

Hi Scott,
yes it’s correct that it won’t work with Adobe Reader 8.0 because the issue was patched there

By: Scott

Scott — Thu, 19 Apr 2007 06:58:37 +0000

Now I have yet another reason not to use the PDF plugin in Firefox.

I’ve got Adobe Reader 8 set to view PDFs in the app and not in the browser.
I’ve set Firefox to download PDFs and not to view them with the plugin.
And on top of all that, I use the PDF Download extension ( https://addons.mozilla.org/en-US/firefox/addon/636 ).

I could not reproduce the examples you’ve given here.

By: The show must go on at Disenchant’s Blog

The show must go on at Disenchant’s Blog — Thu, 01 Mar 2007 08:35:30 +0000

[...] pdp wrote an interesting blog posting today about his research on the well known so called PDF UXSS vulnerability. Because pdp did a good job on his posting, I just want to quote a part of it: [...]

By: SSL Links - SSL Information » Many Intruders Remain Unpredictable

SSL Links - SSL Information » Many Intruders Remain Unpredictable — Thu, 11 Jan 2007 05:56:09 +0000

[...] Who would have thought to abuse a .pdf viewer in such a manner? Read more about the problem here. [...]

By: deaz’s blog » Browser plugins, PDF & XSS

deaz’s blog » Browser plugins, PDF & XSS — Fri, 05 Jan 2007 07:39:10 +0000

[...] http://www.disenchant.ch/blog/hacking-with-browser-plugins/34 Auch! Im not gonna try and prevent me from such thing… just uninstall adobe reader, not a big fan of it either ;) [...]

By: benny

benny — Fri, 05 Jan 2007 02:41:19 +0000

may it help to deliver the pdf as application/zipor something else (to force the download)?
e.g. (apache)

ForceType application/zip

By: darron

darron — Fri, 05 Jan 2007 02:09:39 +0000

What about forcing the PDF to download? Kind of like this?

By: Thought Torrent - Protecting against PDF XSS with Apache

Thought Torrent - Protecting against PDF XSS with Apache — Thu, 04 Jan 2007 19:17:56 +0000

[...] Recent EntriesFriendsArchiveUser Infoatrus.org – it's just not done Protecting against PDF XSS with Apache« previous entry | next entry »Jan. 4th, 2007 | 05:11 amThis lovely article points out that you can execute Javascript from a PDF using a feature of Adobe’s Acrobat Reader plugin. Filtering based on URLs (e.g. using mod_rewrite) won’t work because the fragment section of a URL is not usually sent to the server.If the cookies for a site are restricted to exact name matches, then simply relocating all pdfs (and pdf-generating scripts/applications) to their own subdomain (e.g. pdfs.foo.com) is sufficient. Otherwise, you’re stuck buying another domain (foopdfs.com) or doing something below.Another simple solution is to just make the browser download the pdf instead of trying to display it inline. This sucks for everyone not using a vulnerable version of the Adobe Acrobat Reader plugin, but it does work.For Apache 1.3, you can use mod_headers with a FileMatch directive to automatically handle your usual flat files. Header set Content-Disposition attachmentApplications will need to be patched, of course.With Apache 2.0, you can use AddOutputFilterByType plus my newly-born mod_forcedl to do a more thorough job. Since this looks at the MIME type, it will even catch stuff generated by web applications.The more complex solution is to use JavaScript to scan the plugins (window.navigator.plugins), issue a user-specific token (random string), then refresh/redirect. On the server-side, you give the check page if a valid token isn’t present (or, say, the User-Agent says it’s wget) or serves up the pdf if the token checks out.(via evan_tech) [...]

By: TheHorse13

TheHorse13 — Thu, 04 Jan 2007 16:59:51 +0000

This also does not work with IE7 with acrobat 7 plugin. It clips the java alert window.