XSS through PDF files
This is just great. You can now hack websites with XSS in PDF files. Adobe Reader will executed any JavaScript passed to it through a query string. Here is a working example:
http://www.example.com/document.pdf#whatever_name_you_want=javascript:alert(document.cookie);
If you replace www.example.com and document.pdf with valid samples and click on the link, the browser will pop up, load the specified file from the specified site and show you your cookies for that site.
Adobe Reader v8.0 is not affected. Also, this does not work on some Win XP SP2 + IE 7.0 systems.
Found via Alek Levin.
No comments yet. Be the first.
Leave a reply