A particularly nasty cross-site scripting (XSS) vulnerability has surfaced that impacts Firefox users who have installed the Adobe Reader (Acrobat/PDF) plugin. Proof of concept exploits have been published on Bugtraq as well as several blogs (here for example). Adobe has fixed the problem in Acrobat version 8; which is only available for Windows, no word yet on a fix for the Linux plugin (which is based on Acrobat version 7).
The technique was first disclosed last week at the 23rd Chaos Communication Congress by Stefano Di Paola and Giorgio Fedon in their Subverting AJAX presentation. Sven Vetsch discovered another wrinkle and publicized it on his blog. The crux of the vulnerability is a link with a URL of the following form:
Any site hosting a PDF file is vulnerable and there is little that the site can do; there is no indication that the request is anything out of the ordinary because the string after the '#' is not passed as part of the request. Concerned sites could stop hosting PDF files, but that seems rather unlikely. Other server-side solutions are being discussed as there is a concern that users are unlikely to upgrade their browser plugins. Hosting sites would much rather that they be in control of whether their PDF files can appear in links with malicious content. Most XSS problems can be handled by proper server side filtering of user supplied content, but this particular vulnerability is different.
So far there are no reports of other PDF plugins that follow Adobe's lead in retrieving URLs that appear in links to PDF files. In this author's experience, PDF viewing utilities are separate programs that get invoked by the browser after it downloads a PDF file. For xpdf and kpdf (and presumably others), this works just fine but Adobe chose to provide a means of more closely integrating PDF viewing into the browser. Unfortunately, the fact that this plugin is closed source implies that users, especially Linux users, must wait for Adobe to fix the problem. We cannot fix it ourselves.
One could certainly imagine a similar mistake being made by one of the other PDF viewer development teams; Adobe is hardly alone in making bad choices in developing software. However, the fix for an open source PDF viewer would likely be available within hours of the report. Adobe was notified about this problem on 15 October according to the advisory, but there is still no fix for Linux. Disabling the plugin would seem to be prudent.
Fixing the affected software is just the start of the task of fixing the overall problem. As mentioned above, users are not particularly good at picking up security fixes even when they know about them. Getting the message out on this particular problem is a big hurdle. The alternative is to educate users so that they can recognize maliciously crafted links to PDFs and that is almost certainly a harder task.
The potential for a widespread outbreak exploiting this vulnerability is fairly high and this will probably not be the last we will hear about it. It certainly has the possibility of damaging the reputation of PDF amongst even casual web users and that is probably keeping some folks at Adobe awake at nights.
|Created:||January 1, 2007||Updated:||January 26, 2007|
|Description:||The network monitoring and graphing frontend Cacti has three vulnerabilities. The cmd.php script allows command line usage and is also installed in a web-accessible location. The cmd.php input is insufficiently sanitized, a passed-in URL can be used to inject arbitrary SQL code. The cmd.php script can be used by a remote attacker to execute arbitrary shell commands via improperly sanitized results from SQL queries.|
|Created:||January 3, 2007||Updated:||January 3, 2007|
|Description:||A botched regular expression allows a remote attacker to add arbitrary hosts to the denyhosts blacklist, causing those hosts to be unable to make ssh connections to the target system.|
|Package(s):||elog||CVE #(s):||CVE-2006-5063 CVE-2006-5790 CVE-2006-5791 CVE-2006-6318|
|Created:||December 28, 2006||Updated:||January 3, 2007|
|Description:||elog, a web-based electronic logbook has multiple vulnerabilities that may lead to arbitrary code execution. Log entry editing in HTML has a cross-site scripting vulnerability. A number of format string vulnerabilities may be used for the execution of arbitrary code. There are cross-site scripting vulnerabilities related to the creation of new logbook entries. There is insufficient error handling in config the file parsing that may be used for a denial of service attack.|
|Created:||December 21, 2006||Updated:||January 17, 2007|
|Description:||The Mono ASP.NET server XSP has a source disclosure attack vulnerability. A malicious user can use this to acquire the source code of a server-side application.|
|Created:||December 26, 2006||Updated:||January 3, 2007|
|Description:||A buffer overflow was discovered in the "parse_expression" function of the "permissions" module of the SIP router OpenSER, versions up to and including 1.1.0. The OpenSER "permissions" module is used to determine if a SIP call has appropriate permission to be established. The "parse_expression" function is used during parsing of the modules local allow/deny configuration files.|
|Created:||December 28, 2006||Updated:||January 15, 2007|
|Description:||The W3M textual web browser has a format string vulnerability. If the run-time options -dump or -backend are used, W3M can be made to crash if certain escape sequences occur in the Common Name of a web site X.509 certificate.|
Page editor: Jonathan Corbet
Next page: Kernel development>>
Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds