Bugtraq mailing list archives
Re: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
From: rudeyak () yahoo com
Date: 4 Jan 2007 21:35:33 -0000
YMMV, but in our own testing of server-side defenses for Apache, we had to resort to the following to extract the anchor information: # mod_rewrite defense RewriteCond %{THE_REQUEST} .*\.pdf[^A-Za-z0-9._?&%-] RewriteRule (.*\.(pdf)) $1 [R,L] # mod_security defense SecRule REQUEST_URI_RAW: ".*\.pdf[^A-Za-z0-9._?&%-]" \ "deny,log,status:502,id:951004,severity:2,msg:'DOM attack on static content'" In the case of mod_rewrite, I had to use THE_REQUEST, which captures the entire 1st line of an HTTP request, not just the URI (hence capturing the anchor); in the case of mod_security, I think I just got lucky, I can't explain why REQUEST_URI_RAW worked while REQUEST_URI did not. This was tested with Apache 2.0.59 and modsecurity-apache_2.0.4.
Current thread:
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous pdp (architect) (Jan 04)
- <Possible follow-ups>
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Rude Yak (Jan 04)
- RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous RSnake (Jan 04)
- RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Martin O'Neal (Jan 04)
- Re: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous rudeyak (Jan 04)
- RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Martin O'Neal (Jan 08)
- Re: Re: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous rudeyak (Jan 08)
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous pdp (architect) (Jan 08)
- RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous Tom Stripling (Jan 09)