Security advisory

Server-side workarounds to prevent potential cross-site scripting vulnerability in versions 7.0.8 and earlier of Adobe Reader and Acrobat

Release date: January 9, 2007

Vulnerability identifier: APSA07-02

CVE number: CVE-2007-0045

Summary

Solution

Adobe recommends that Adobe Reader and Acrobat users update their software to prevent the issue. Potential server-side workarounds are detailed below.

NOTE: Before applying any of these configuration changes to your production servers they should be tested to make sure they work for your environment.

Modify the MIME type of PDFs.
One way to prevent the Adobe Reader and Acrobat Plugins from passing JavaScript to the browser is to force PDFs to open outside of the browser and Adobe Reader or Acrobat Professional. To accomplish this, change the MIME (Multipurpose Internet Mail Extension) type of the .pdf file extension (application/pdf) to a generic binary (application/octet-stream) which the web browser then will prompt the user to open or save.

IIS 6.0	Open the Internet Information Services Manager. Locate the folder containing PDFs under your website. Right-click the folder and select Properties. Select the HTTP Headers tab. Click the MIME Types… button. Click the New... button to create a new MIME type. Enter pdf for the Extension and application/octet-stream for MIME type. Click ok. Click ok. Click ok to apply the changes. Note: This property can changed on a specific file.
Apache 2.2.3	Use mod_mime and AddType or mod_rewrite Open httpd.conf or .htaccess Locate the <IfModule mime_module> section Insert AddType application/octet-stream .pdf Close and Save httpd.conf or .htaccess Restart the Apache Service

Add the Content-Disposition Header
Similar to changing the MIME type, a Content-Disposition Header can be added to the server response.

IIS 6.0	Open the Internet Information Services Manager. Locate the folder containing PDFs under your website. Right-click the folder and select Properties. Select the HTTP Headers tab. Click the MIME Types… button. Click the Add button in the Custom HTTP Headers section. Add a header named Content-Disposition with a value of attachment; filename=yourfile.pdf Click ok to apply the changes. Note that this setting is applied on a per file basis.
Apache 2.2.3	Use mod_headers Open httpd.conf Add <IfModule mod_headers.c> <FilesMatch "\.pdf$"> Header append Content-Disposition "attachment;" </FilesMatch> </IfModule> Close and Save httpd.conf Restart the Apache Service

Store PDF in a non web-accessible location
Lastly, in an environment where access to the configurations files is not possible, consider creating server-side code (ColdFusion, Java, PHP, ASP.NET, etc) to read the file and send it back as part of the Response. For example, MyPDF.cfm could be a script that returns the real PDF.
Note: you will still need to set the Response.ContentType to “application/pdf” or “application/octet-stream”. Review your server-side language documentation for more information.

Severity Rating

Adobe categorizes this as an important issue and recommends affected users update their software.

Details

This Security Advisory is intended to provide server-side workarounds for website operators to prevent the cross-site scripting vulnerability documented in Security Bulletin APSB07-01. A cross-site scripting (XSS) vulnerability in versions 7.0.8 and earlier of Adobe Reader and Acrobat could allow remote attackers to inject arbitrary JavaScript into a browser session. This issue could occur when a user clicks on a malicious link to a PDF file. Exploitability depends on the browser and browser version being used. This vulnerability does not allow execution of binary code. This issue is remotely exploitable. Adobe recommends that Adobe Reader and Acrobat users update their software to prevent the issue.