PDF = Potential Death File?

I suggest you tell your browsers to change how it handles .pdf files so that instead of displaying them in your browser it will download them. Sven Vetsch has written about a flaw found by found by Stefano Di Paola and Giorgio Fedon (who presented this at CCC, link) in which a .pdf file can run arbitrary JavaScript on the site hosting the file. It seems that just host hosting PDFs you are putting your sites users at risk to all the evil doings JavaScript can perform. If you want to find out more about the flaw I suggest you read the afore-linked blog post, or gnucitizen’s take on it (which has a PoC on it). What I am more interested in right now is fixing the issue.

Obviously a plugin upgrade would be nice, but what about between then and now? I’d be happy if we could get a fix out quickly for web masters to apply to their sites but since the part of the url after the hash is never sent the server (which in this case is what holds the malicous code) any server side solution is pretty much impossible.
Oh what a fun start to the new year eh? On a more light hearted note, first person to see a SPAM email using this technique wins a virtual cookie from me.

Print Friendly, PDF & Email

Comments are closed.