[Owasp-sydney] XSS/Phising with PDF

kuza55 at gmail.com kuza55 at gmail.com
Wed Jan 3 18:48:36 EST 2007


> Pdf links regularly shouldn't really have any request parameters
> attached, so for pdf requests the server might try to check on any
> attached parameters and redirect the user.

Actually, I don't think the server can, because browsers don't send
the fragment after the # symbol, break out Ethereal or something and
have a look; when you go to any URL, the segment after the # isn't
sent; I presume that is because its not relevant to what page the
server sends, it is only relevant to the browser.

The only server-side solution it to force people to download it,
either by setting the mime type to something like
application/octet-stream or sending a Content-Disposition Attachment
header.

On the client side the easiest solution is to just disable the viewing
of pdf files through adobe's reader, either by just removing the
plugin, or by going to
Firefox->Tools->Options->Content->Manage->change all actions
associated with the Adobe Reader to "Save to disk".

- Alex "kuza55"


More information about the Owasp-sydney mailing list