eMarkLee

A Adobe Acrobat vulnerability was announced by some hackers today. It is interesting because this is a very simple hack that shows the vulnerability of PDFs to XSS injection. This is a pretty big deal for any sites out there that have PDFs on site as it could allow for hackers to use your site as a means to do XSS. Security exploits are announced by the hour, but this one was important enough to make Slashdot and eMarkLee because of its span. We’re talking about millions of sites/pdfs out there that are vulnerable to this.

It is a pretty simple hack, just doing this:

http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here

like this:
http://www.google.com/librariancenter/downloads/Tips_Tricks_85×11.pdf#something=javascript:alert(‘%59%6F%75%72%20%63%6F%63%6B%20%69%73%20%73%6D%61%6C%6C’);

Of course, one could do much worse things like cookie stealing, spoof-site redirection, etc. There are workarounds and this only affects some browsers (IE6, of course), but in the meantime you should be a bit more careful with links to PDFs for a while.