[SOLVED] Safe to allow pdf?
-
Lucas Malor
- Senior Member
- Posts: 71
- Joined: Tue Nov 09, 2010 2:01 pm
- Contact:
[SOLVED] Safe to allow pdf?
I disabled JavaScript, multimedia operations and attachment opening in Acrobat Reader. Can I always allow PDFs without any concern?
Last edited by Lucas Malor on Tue Dec 14, 2010 8:43 am, edited 2 times in total.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Re: Safe to allow pdf?
What does this have to do with NoScript?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101124 Firefox/4.0b8pre
-
Alan Baxter
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: Safe to allow pdf?
I assume you're referring to this section of http://noscript.net/features#contentblocking, Lucas.Lucas Malor wrote:I disabled JavaScript, multimedia operations and attachment opening in Acrobat Reader. Can I always allow PDFs without any concern?
That said, I don't know if you can "always allow PDFs without any concern" with the Acrobat Reader configuration you describe. It might be sufficient protection from known pdf vulnerabilities, but not for a zero-day exploit yet to be discovered.You can configure some exception to the Forbid Other Plugins option by setting the noscript.allowedMimeRegExp about:config preference to a pattern matching the content types you want to allow. For instance, setting it to "application/pdf" will let PDF document load automatically on every site. That said, are you sure you need to? Adobe Acrobat Reader plugin got its share of vulnerabilites so far, and after all, you can still allow individual PDF documents from untrusted sites just clicking on their placeholders.
Edit: Do you have a particular site in mind where using placeholders for PDF is a problem?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
-
Lucas Malor
- Senior Member
- Posts: 71
- Joined: Tue Nov 09, 2010 2:01 pm
- Contact:
Re: Safe to allow pdf?
Yes.Alan Baxter wrote:I assume you're referring to this section of http://noscript.net/features#contentblocking, Lucas.
Well, you make good points. Anyway I think that if the pdf is not embedded, I opened it myself. This can be not true when the domain is whitelisted and embedded contents are not applied to whitelisted domains too.Alan Baxter wrote:It might be sufficient protection from known pdf vulnerabilities, but not for a zero-day exploit yet to be discovered.
The problem is NoScript blocks PDFs even if they are not embedded. How can I avoid this, without allowing embedded ones too adding "application/pdf" to noscript.allowedMimeRegExp ?
No.Alan Baxter wrote:Do you have a particular site in mind where using placeholders for PDF is a problem?
Last edited by Lucas Malor on Thu Nov 25, 2010 2:46 pm, edited 1 time in total.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
-
Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Safe to allow pdf?
You can't, and for a good reason.Lucas Malor wrote:The problem is NoScript blocks PDFs even if they are not embedded. How can I avoid this, without allowing embedded PDFs too adding "application/pdf" to noscript.allowedMimeRegExp
There's no difference between an embedded PDF and one opened as a top-level document in the browser, from an attacker standpoint.
Both
Code: Select all
<iframe src="some-malicious.pdf"></iframe>
Code: Select all
<meta http-equiv="refresh" content="0;url=some-malicious.pdf">
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12