A reasonably nasty one this morning, imagine you could run a JavaScript on a remote host by adding some code to a URL for a real PDF file; well you can!
http://host/file.pdf#anchor=javascript:[code]
This is totally client side, the URL is using the anchor in the PDF URL to get Acrobat to run the JavaScript. To test if you are vulnerable here is a Demonstration link with a javascript:alert(123)
Depending on how the client is protecting itself from scripts, you could start doing some pretty nasty stuff in the context of the site that is hosting the pdf.
Mitigation:
This appears to be fixed in Adobe Acrobat/Reader 8, another reason to update. When you click the link the plug-in gives an error message “This operation is not allowed”
If you cannot update to Acrobat v8 then;
- Turn off JavaScript in your browser
- Use the NoScript Add-on for Firefox
- Stop Acrobat Reader from running as a browser-plugin
Adobe Acrobat Reader > Edit menu > Preferences > un-check "Display PDF in browser"
Preview in OS-X does not process the Javascript.
LINKS:
[1.] Subverting AJAX [23rd Chaos Communication Congress]
[2.] DANGER, DANGER, DANGER (03-Jan-2007) [GNUCITIZEN]
[3.] Adobe Acrobat JavaScript Execution Bug (03-Jan-2007) [SlashDot]
[4.] PDF XSS vulnerability announced at CCC (03-Jan-2007) [SANS]
[5.] Adobe Reader Cross-Site Scripting Vulnerability SA23483 (03-Jan-2007) [Secunia]
Thanks for passing along the info about how the current version of Adobe Reader already prevents this.
The Adobe Security Advisory on the subject just went live this evening too:
http://www.adobe.com/support/security/advisories/apsa07-01.html
tx, jd/adobe
Hello,
might be a bit off topic, but I also very much dislike that Adobe Reader has JavaScript capabilities. I recommend anyone to disable JavaScript in Adobe Reader:
http://netzreport.googlepages.com/how_to_use_adobe_read_no_javascript.html
Gerhard Milke