Forum OpenACS Development: PDF Exploit: fix for AOLserver

Collapse
Posted by Tom Jackson on
Sorry for the cross post with aolserver list:

There is a new, and potentially very dangerous exploit which allows an
attacker to run javascript simply by accessing a pdf file via a web browser.

The exploit requires that an attacker include javascript in a url anchor, as
part of an internal link (the junk after the # sign), something like this:

http://example.com/path/to/pdf/my.pdf#anyvar=javascript:somescript

Some interesting features of this exploit make it particularly hard to fix on
the server side. First is that browsers don't send the stuff after the #
sign, at least not Mozilla. Second: browsers maintain the internal part of
the url during a redirect, thus they perserve the exploit.

Even though this is a client side bug, it could impact the server security due
to the potential that the javascript code will execute with the rights of the
user on the site hosting the pdf file.

I've witten a filter which removes the internal part of the url, but it
requires the user click on a new url due to the client browser handling of
this part of the url.

More info, links, limitations and installation instructions are here:

http://rmadilo.com/files/pdf-exploit/

The file a-pdf-exploit-fix.txt
contains the filter code.