Bugtraq mailing list archives
Adobe Reader 7: XML External Entity (XXE) Attack
From: "Sverre H. Huseby" <shh () thathost com>
Date: Thu, 16 Jun 2005 17:08:38 +0200
XML External Entity (XXE) Attack Possible in Adobe Reader 7 ----------------------------------------------------------- SHH #7, 2005-06-16 Description ----------- Recent versions of Adobe Reader (previously known as Acrobat Reader) are vulnerable to XML External Entity (XXE) Attacks. By including a JavaScript in a PDF file, and have this JavaScript parse an embedded XML document with a reference to an external entity, it is possible to read certain types of textual files on the local computer, and have them sent to a remote attacker. Details ------- The hairy details (the problem description sent to Adobe), including sample PDFs, are available on a separate web page: http://shh.thathost.com/secadv/adobexxe/ Solution -------- Disable the use of JavaScript in Adobe Reader, or upgrade to a version not vulnerable to this attack. Vendor Notification ------------------- The Adobe developers were notified on 2005-04-15. They made a fix available on 2005-06-15. Affected versions ----------------- Confirmed to work in version 7.0 and 7.0.1 on Microsoft Windows, version 7.0 on GNU/Linux and version 7.0 on Mac OSX. It is unknown whether the attack works in version 6, which also supports JavaScript in PDF files. Fixed versions -------------- Adobe Reader version 7.0.2. For Adobe's own advisory, see the following URL: http://www.adobe.com/support/techdocs/331710.html Credits ------- Thanks to Jeremiah Grossman for verifying that the attack also works on the Mac OSX version of Adobe Reader. ---------------------------- Reported by Sverre H. Huseby
Current thread:
- Adobe Reader 7: XML External Entity (XXE) Attack Sverre H. Huseby (Jun 16)
- Re: Adobe Reader 7: XML External Entity (XXE) Attack Slawek (Jun 20)