Tuesday, February 13, 2007

Attacking Aspect Security's PDF UXSS Filter

While this is not really much of an issue any more because Adobe have released and update and there isn't really much to say, I'd like to revisit it for a momment.

There were a lot of people (myself included) who had considered the PDF UXSS issue unsolvable at the server-side level; how wrong we were: http://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE

I have no real analysis of it because, as far as I can tell, its bullet proof. or at least it would be if browser security didn't have fist-size holes in it. From a black box perspective where there is no information leakage; that fix is great.

But sadly, there are ways to simply obtain the data. Using an Anti-DNS Pinning attack, it should not be a problem to simply send a request to that IP with the appropriate Host header, etc, and then parse out the link and simply redirect the user. I'm not going to bother providing any code, because there's really nothing new here, just another misfortune.

So a very good idea, is practically useless, simply because the rest of our security model is shot to bits.

No comments: