Cross-site Request Forgery (XSRF) Attacks
Cross-site request forgeries (XSRF) occur when a malicious user exploits the trust between a website and a user’s browser. By exploiting that trust, malicious users can execute unauthorized commands on a website.
XSRF attacks rely on 2 items:
Access to authentication credentials
Surreptitious execution of a command via a URL
For more information about XSRF attacks, as well as a few examples, you can visit this Wikipedia page.
http://en.wikipedia.org/wiki/XSRF
Preventing potential cross-site scripting vulnerability
There is a security issue related to Acrobat Reader version 7.08 and earlier versions . The flaw let hackers use a technique known as cross-site scripting, in which they blend malicious JavaScript with a link to a Portable Document Format (PDF) file on a Web site to hijack a user’s computer.
There is a server wide workaround for those who do not have the latest versions.
1 Search DefaultType in /usr/local/apache/conf/httpd.conf
After “DefaultType text/plain”
Add
AddType application/octect-stream .pdf
2 Next Enable mod_headers and check the version of apache (go to the specified directory)
cd /home/cpapachebuild/buildapache/apache_1.3.37/src/modules/standard
/usr/local/apache/bin/apxs -c mod_headers.c
/usr/local/apache/bin/apxs -i -a -n headers mod_headers.so
3 Search modsec in /usr/local/apache/conf/httpd.conf after the line add the following.
<IfModule mod_headers.c>
<FilesMatch “\.pdf$”>
Header append Content-Disposition “attachment;”
</FilesMatch>
</IfModule>
4 Restart apache
