PDFãƒ•ã‚¡ã‚¤ãƒ«ã§XSSãŒå¯èƒ½ï¼å±é™ºåº¦é«˜ã—

[WEB SECURITY] Universal XSS with PDF files: highly dangerous

Webã‚µã‚¤ãƒˆã«PDFãƒ•ã‚¡ã‚¤ãƒ«ãŒç½®ã„ã¦ã‚ã‚‹å ´åˆã€ä¸‹è¨˜ã®ã‚ˆã†ã«ã™ã‚‹ã“ã¨ã§ã‚¹ã‚¯ãƒªãƒ—ãƒˆãŒå®Ÿè¡Œã§ãã¦ã—ã¾ã†ã¨ã„ã†å•é¡Œã§ã™ã€‚

http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here

ã‚µãƒ¼ãƒãƒ¼å´ã®å¯¾å‡¦ã¨ã—ã¦ã¯ã€æ¨™æº–ã®ã€Œapplication/pdfã€ã§ã¯ãªãã€ã€Œapplication/octet-streamã€ã§é–‹ãã‚ˆã†ã«ã™ã‚Œã°ãƒ–ãƒ©ã‚¦ã‚¶å†…ã§PDFãƒ•ã‚¡ã‚¤ãƒ«ã‚’é–‹ã‹ãšã€å¤–éƒ¨ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã¨ã—ã¦é–‹ãã“ã¨ã«ãªã‚‹ã®ã§å›žé¿ã§ãã‚‹æ§˜åã€‚ãŸã ã—ã€PDFãƒ•ã‚¡ã‚¤ãƒ«ã‚’ãƒ–ãƒ©ã‚¦ã‚¶å¤–ã§é–‹ãã“ã¨ã«ãªã‚‹ã®ã§ã€PDFã‚’ä¸»ãªã‚³ãƒ³ãƒ†ãƒ³ãƒ„ã¨ã—ã¦ã„ã‚‹ã‚ˆã†ãªWebã‚µã‚¤ãƒˆã§ã¯ä½¿ã„å‹æ‰‹ãŒå¤‰ã‚ã£ã¦ã—ã¾ã†ã€‚è¨å®šå¤‰æ›´ã‚’å®Ÿæ–½ã™ã‚‹éš›ã«ã¯é¡§å®¢ã®ç†è§£ãŒå¿…è¦ã§ã—ã‚‡ã†ã‹ã€‚

è¨å®šã¯bunã•ã‚“ã®ã€Œ"é€±"è¨˜(2007-01-04)ã€ãŒå‚è€ƒã«ãªã‚Šã¾ã™ã€‚ï¼ˆä¸‹è¨˜ã¯å¼•ç”¨ï¼‰

<Files "*.pdf">
Header set Content-Disposition: attachment
ForceType application/octet-stream
</Files>

ãƒ¦ãƒ¼ã‚¶ãƒ¼å´ã®å¯¾å‡¦ã¨ã—ã¦ã¯ã€Acrobat Readerã‚’ Ver.8.0.0ä»¥é™ã«ã™ã‚‹ã¨ã‚ˆã„ã‚ˆã†ã§ã™ã€‚ã‚¢ãƒƒãƒ—ãƒ‡ãƒ¼ãƒˆãŒå¿…é ˆã§ã™ã€‚

Adobe – Adobe Readerã®ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰