Preventing potential cross-site scripting vulnerability

There is a security issue related to Acrobat Reader version 7.08 and earlier versions . The flaw let hackers use a technique known as cross-site scripting, in which they blend malicious JavaScript with a link to a Portable Document Format (PDF) file on a Web site to hijack a user’s computer.

There is a server wide workaround for those who do not have the latest versions.

1 Search DefaultType in /usr/local/apache/conf/httpd.conf
After “DefaultType text/plain”
Add 

AddType application/octect-stream .pdf

2  Next  Enable mod_headers and check the version of apache (go to the specified directory)

cd /home/cpapachebuild/buildapache/apache_1.3.37/src/modules/standard
/usr/local/apache/bin/apxs -c mod_headers.c
/usr/local/apache/bin/apxs -i -a -n headers mod_headers.so

3 Search modsec in /usr/local/apache/conf/httpd.conf after the line add the following.

<IfModule mod_headers.c>
<FilesMatch “\.pdf$”>
Header append Content-Disposition “attachment;”
</FilesMatch>
</IfModule>

4 Restart apache

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.