Adobe PDF XSS Vulnerability

10 Jan 2007

I've been concentrating on work this past week, but I wanted to quickly mention the Adobe PDF XSS vulnerability discovered by Stefano Di Paola and Giorgio Fedon. This is being called UXSS (universal cross-site scripting) due to the fact that it can affect virtually any web site. (The web site just has to host a PDF.)

The basic attack is pretty straightforward:

  1. http://example.org/foo.pdf#bar=javascript:alert('XSS');

If you have a vulnerable version of Acrobat / Reader, your browser will execute this JavaScript whenever you visit the URL. In other words, any site hosting a PDF is a potential target for such an attack, regardless of whether the site would otherwise not be vulnerable to XSS. (For example, my Security 2.0 slides.) Worse, RSnake found a local PDF that can be used for more malicious attacks:

  1. file:///C:/Program%20Files/Adobe/Acrobat%207.0/Resource/ENUtxt.pdf

This path is clearly for Windows, but I'm sure similar local URLs can be found for other platforms.

This is all significant, because as I've mentioned before, XSS matters.

One thing missing from most of the discussion is that this issue does not affect the most recent version of Adobe Acrobat / Reader, which was released last year. I still think this is a very significant discovery, but I don't think such important information should be left out of the discussion to artificially increase concern. Adobe's security advisory provides more details about which versions are affected.

John Dowdell, who I mentioned before when discussing the YouTube security vulnerability, mentions this fact in a post on the topic, and he includes some insight from Leonard Rosenthol of the Adobe Acrobat team:

If you're a Windows user, your best bet is to either upgrade to Adobe Acrobat / Reader 8, or disable the plugin from opening within the browser.

If you're an application developer, you can opt to remove all PDFs from your site, or you can force PDFs to be downloaded instead of displayed inline. Richard Lynch has an old post / rant with some useful information. Rich Bowen offers the following advice:

  1. AddType application/octet-stream .pdf

I keep reading about the "anchor tag" not being sent to the server. I finally realized that people mean to say fragment identifier. An anchor tag is just the <a> tag we use in HTML to create links. (I'll withhold another long-winded rant about technical vocabulary, although that was an interesting discussion.) Hopefully this tidbit can help you if you're trying to follow the ongoing discussion.