PDF XSS exploit protection

rjlov · 4 Jan 2007, 08:36 PM

Hi.

I've just put in place a couple of checks to help protect our users from a particular family of XSS attacks via links to PDF files. If you're viewing an HTML message that contains one of these links via the web interface, then the Phishing Protection will disable the link with a warning. URLs of this form that appear in a text message will not be converted to a clickable link.

This should reduce the likelihood of users being compromised by such links sent to them in email messages.

For more information on the exploit:
http://secunia.com/advisories/23483/
http://www.kb.cert.org/vuls/id/815960

Richard.

Jeremy Howard · 5 Jan 2007, 12:21 PM

Pretty cool - protection added within 24 hours of the security advisory!

eggman · 6 Jan 2007, 09:42 AM

thanks! great work.

4 Jan 2007, 08:36 PM	#1
rjlov Essential Contributor Join Date: Aug 2003 Location: Melbourne, Australia Posts: 282 Representative of: Fastmail.FM	PDF XSS exploit protection Hi. I've just put in place a couple of checks to help protect our users from a particular family of XSS attacks via links to PDF files. If you're viewing an HTML message that contains one of these links via the web interface, then the Phishing Protection will disable the link with a warning. URLs of this form that appear in a text message will not be converted to a clickable link. This should reduce the likelihood of users being compromised by such links sent to them in email messages. For more information on the exploit: http://secunia.com/advisories/23483/ http://www.kb.cert.org/vuls/id/815960 Richard.

5 Jan 2007, 12:21 PM	#2
Jeremy Howard Ultimate Contributor Join Date: Sep 2001 Location: Australia Posts: 11,499	Pretty cool - protection added within 24 hours of the security advisory!

6 Jan 2007, 09:42 AM	#3
eggman Essential Contributor Join Date: Jun 2002 Location: AU Posts: 468	thanks! great work.