Vulnerability details :
 
Adobe Acrobat Reader Browser Plug-in PDF XSS 
 
     Fiche

Fiche créée le 2007-01-03 19:01:47, dernière mise à jour le 2010-11-04 19:43:39

Acrobat Reader contains a flaw that allows a remote cross site scripting attack. This flaw exists because the browser plug-in does not validate user supplied input to the hosted PDF file before returning the input to the user. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's Acrobat Reader browser within the trust relationship between the browser and the server, leading to a loss of integrity.


http://[host]/[filename].pdf#AnyText=javascript:alert('xss'); This requires the adobe reader software installed on the client and associated with the browser.
 
Adobe Systems Incorporated    3.x  Affected
Adobe Systems Incorporated    4.x  Affected
Adobe Systems Incorporated    5.x  Affected
Adobe Systems Incorporated    6.x  Affected
Adobe Systems Incorporated    7.x  Affected
Adobe Systems Incorporated    6.x  Affected
Adobe Systems Incorporated    7.x  Affected
Adobe Systems Incorporated    3.x  Affected
Adobe Systems Incorporated    4.x  Affected
Adobe Systems Incorporated    3D  Affected
Adobe Systems Incorporated    5.x  Affected
Adobe Systems Incorporated    6.x  Affected
Adobe Systems Incorporated    7.0.0  Affected
Adobe Systems Incorporated    7.0.1  Affected
Adobe Systems Incorporated    7.0.2  Affected
Adobe Systems Incorporated    7.0.3  Affected
Adobe Systems Incorporated    7.0.4  Affected
Adobe Systems Incorporated    7.0.5  Affected
Adobe Systems Incorporated    7.0.6  Affected
Adobe Systems Incorporated    7.0.7  Affected
Adobe Systems Incorporated    7.0.8  Affected
 
Attack Type :  Input Manipulation
 XSS, SQL injection, file retrieval, directory traversal, overflows, URL encoding.
 Découvert le 2006-12-27 19:03:51
 
Disclosure :  OSVDB Verified
 Confirmé le 2006-12-27 19:03:51
 
Disclosure :  Vendor Verified
 
Exploit :  Exploit Public
 Exploit découvert le 2006-12-27 07:00:00
 
Impact :  Loss of Integrity
 Assurance that data is unaltered by unauthorized persons. Examples: XSS, arbitrary command execution, most overflows, most format strings, SQL injection, unauthorized file modification/deletion/creation, remote file inclusion, etc.
 
Location :  Remote / Network Access
 If network access if required and exploit can be done remotely.
 
OSVDB :  Web Related
 The vulnerability is a web issue and will have an associated security check.
 
 
External refs :
OSVDB  31046
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 

 
 


Free consultation (search)
 
  Fill one or some of the fields below :
   
Vendor
 
Title
 
Vulnerability ref.
 
 
   
 
   
Individual alerts
 
You determine with one profile dynamic and assisted, all your material and software equipment.
We shall inform you then automatically, as soon as a notification of security will concern one or several elements of it profile.
Every notification is definite, consists of numerous information to determine risk and to protect itself from it.
 
Login:
Pass:
 
Free online subscription
© Power4Security.com - BMS Ltd UK 2007-2008 - powered by Power4Website.com
Partenaires : Anti-spam - Hébergement France - MySQL Php Suisse - Hosting Canada - Web Php Maroc - WebmasterMalin
Guide de l'affiliation - Guide du paiement électronique et de l'e-currency - Annuaire du Web - Solution e-commerce - Externalisation et outsourcing
e-Marketing et e-Mailing - Comparaison de services - Comparateur Marchands - Bons plans par email - Tests de personnalité et de QI
SMS API - Forums et Petites Annonces Gratuites - Rencontres - Sonneries - Offres du Web - Arrêter de fumer - Guide des mobiles et PDA