Date: 10 January 2007
References: ESB-2007.0001
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AusCERT Update AU-2007.0001 - [Win][Linux]
Server-side workarounds to prevent cross-site scripting
due to Adobe Reader and Acrobat
10 January 2007
AusCERT Update Summary
----------------------
Product: Adobe Reader 7.0.8 and prior
Adobe Acrobat 7.0.8 and prior
Publisher: Adobe
Operating System: Windows
Linux variants
Impact: Cross-site Scripting
Access: Remote/Unauthenticated
CVE Names: CVE-2007-0045
Ref: ESB-2007.0001
Original Bulletin:
http://www.adobe.com/support/security/advisories/apsa07-02.html
Comment: Organisations with an authenticated website who also host a PDF file
somewhere on their domain should consider the mitigations below.
While Adobe has released updates fixing the vulnerabilities,
the mitigations below help guard against the possibility that some
users or customers still have the vulnerable versions of Adobe Reader
(before 7.0.9) installed.
Such organisations may have some risk of the users' authentication
credentials being stolen, or actions being taken on the authenticated
site with the privileges of the users, via the cross-site scripting
and cross-site request forgery vulns as described in ESB-2007.0001.
- --------------------------BEGIN INCLUDED TEXT--------------------
Server-side workarounds to prevent potential cross-site scripting vulnerability
in versions 7.0.8 and earlier of Adobe Reader and Acrobat
Release date: January 9, 2007
Vulnerability identifier: APSA07-02
CVE number: CVE-2007-0045
Summary:
This Security Advisory is intended to provide server-side workarounds
for website operators to prevent the cross-site scripting vulnerability
documented in Security Bulletin APSB07-01. Adobe recommends that Adobe
Reader and Acrobat users update their software to prevent the issue.
Solution:
Adobe recommends that Adobe Reader and Acrobat users update their
software to prevent the issue. Potential server-side workarounds are
detailed below.
NOTE: Before applying any of these configuration changes to your
production servers they should be tested to make sure they work for
your environment.
Modify the MIME type of PDFs
One way to prevent the Adobe Reader and Acrobat Plugins from passing
JavaScript to the browser is to force PDFs to open outside of the
browser and Adobe Reader or Acrobat Professional. To accomplish this,
change the MIME (Multipurpose Internet Mail Extension) type of the
.pdf file extension (application/pdf) to a generic binary
(application/octet-stream) which the web browser then will prompt the
user to open or save.
IIS 6.0
1. Open the Internet Information Services Manager.
2. Locate the folder containing PDFs under your Web site.
3. Right-click the folder and select Properties.
4. Select the HTTP Headers tab.
5. Click the MIME Types button.
6. Click the New... button to create a new MIME type.
7. Enter pdf for the Extension and
application/octect-stream for MIME type.
8. Click ok.
9. Click ok.
10. Click ok to apply the changes.
Note: This property can changed on a specific file.
Apache 2.2.3
Use mod_mime and AddType or mod_rewrite
1. Open httpd.conf
2. Locate the <IfModule mime_module> section
3. Insert AddType application/octet-stream .pdf
4. Close and Save httpd.conf
5. Restart the Apache Service
Add the Content-Disposition Header
Similar to changing the MIME type, a Content-Disposition Header can
be added to the server response.
IIS 6.0
1. Open the Internet Information Services Manager.
2. Locate the folder containing PDFs under your Web site.
3. Right-click the folder and select Properties.
4. Select the HTTP Headers tab.
5. Click the MIME Types button.
6. Click the Add button in the Custom HTTP Headers section.
7. Add a header named Content-Disposition with a value of
attachment; filename=yourfile.pdf
8. Click ok to apply the changes.
Note that this setting is applied on a per file basis.
Apache 2.2.3
Use mod_headers
1. Open httpd.conf
2. Add
<IfModule mod_headers.c>
<FilesMatch "\.pdf$">
Header append Content-Disposition "attachment;"
</FilesMatch>
</IfModule>
3. Close and Save httpd.conf
4. Restart the Apache Service
Store PDF in a non web-accessible location
Lastly, in an environment where access to the configurations files
is not possible, consider creating server-side code (ColdFusion, Java,
PHP, ASP.NET, etc) to read the file and send it back as part of the
Response. For example, yourfile.pdf could be a script that returns
the real PDF.
Note: you will still need to set the Response.ContentType to
application/octect-stream. Review your server-side language
documentation for more information.
Severity Rating:
Adobe categorizes this as an important issue and recommends affected
users update their software.
Details:
This Security Advisory is intended to provide server-side workarounds
for website operators to prevent the cross-site scripting vulnerability
documented in Security Bulletin APSB07-01. A cross-site scripting
(XSS) vulnerability in versions 7.0.8 and earlier of Adobe Reader and
Acrobat could allow remote attackers to inject arbitrary JavaScript
into a browser session. This issue could occur when a user clicks on
a malicious link to a PDF file. Exploitability depends on the browser
and browser version being used. This vulnerability does not allow
execution of binary code. This issue is remotely exploitable. Adobe
recommends that Adobe Reader and Acrobat users update their software
to prevent the issue.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRaRyuCh9+71yA2DNAQKEDQQAgj/qmgzm5KldsBzmmV1/q4tjaoW4fvyK
gcjPkfwE8j33ghwEWAupw9t6BIBgePUAgBfG65XPLRrdzVfVxuwfILkuD83yt0+Y
ZzZ2U9zFQo0TYn2Kg7JGRN3z3RV+iJyOwQjDJkR257wyVgqaxA0rP14EfL2UgD/J
o+s+9cPO8uw=
=AdYp
-----END PGP SIGNATURE-----
|