Aug 10th, 2009
Preventing potential cross-site scripting vulnerability
Preventing potential cross-site scripting vulnerability
There is a security issue related to Acrobat Reader version 7.08 and earlier versions . The flaw let hackers use a technique known as cross-site scripting, in which they blend malicious JavaScript with a link to a Portable Document Format (PDF) file on a Web site to hijack a user’s computer.
There is a server wide workaround for those who do not have the latest versions.
1 Search DefaultType in /usr/local/apache/conf/httpd.conf
After “DefaultType text/plain”
Add
2 Next Enable mod_headers and check the version of apache (go to the specified directory)
/usr/local/apache/bin/apxs -c mod_headers.c
/usr/local/apache/bin/apxs -i -a -n headers mod_headers.so
3 Search modsec in /usr/local/apache/conf/httpd.conf after the line add the following.
<IfModule mod_headers.c>
<FilesMatch “\.pdf$”>
Header append Content-Disposition “attachment;”
</FilesMatch>
</IfModule>
4 Restart apache
