PDF XSS hits the fan

Another nasty to follow-up on yesterday’s QuickTime post, GnuCitizen reports that PDFs prior to version 8.0 appear to have a serious XSS flaw, and it only seems to impact Acrobat on certain platforms:

PDF documents can execute JavaScript code for no apparent reason by using the following template.

http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here

You must understand that the attacker doesn’t need to have write access to the specified PDF document. In order to get an XSS vector working you need to have a PDF file hosted on the target and that’s all about it. The rest is just a matter of your abilities and desires.

This finding was originally mentioned by Sven Vetsch, on his blog. The attack vector was discovered by Stefano Di Paola and Giorgio Fedon. This is a very good and quite interesting finding. Good work.

Time to upgrade? Unfortunately the attack is client-side (e.g. uses anchor points, as specified after the # and in page seven of the HighlightFileFormat PDF developer spec). I have to say I’ve been far more wary of PDFs since I noticed Acrobat (writer) code taking up more space than Microsoft Office.

adobe chairThe functionality bundled in by product managers is often overwhelming when most of us really (really!) just want a simple pre-formatted viewer…it’s like being given a top-end massage recliner with built-in multimedia, a cooler, drink holders and remote controllers when all you asked for was a place to sit down.

The original paper by Stefano Di Paola and Giorgio Fedon, released December 2006, can be found here. And, of course, it’s a PDF.

EDITED TO ADD (5 Jan 2007): Local system implication is discussed here, and some comments point to a firefox fix.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.