CVE-2007-0044
published 2007-01-03CVE-2007-0044: Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make…
PriorityP433medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
55.47%
98.9th percentile
Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make unauthorized requests to other web sites via a URL in the (1) FDF, (2) xml, and (3) xfdf AJAX request parameters, following the # (hash) character, aka "Universal CSRF and session riding."
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat | <= 7.0.8 | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat_reader | <= 7.0.8 | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://www.example.com/librariancenter/downloads/Tips_Tricks_85x11.pdf#something=javascript:function%20createXMLHttpRequest(){%20%20%20try{%20return%20new%20ActiveXObject('Msxml2.XMLHTTP');%20}catch(e){}%20%20%20try{%20return%20new%20ActiveXObject('Microsoft.XMLHTTP');%20}catch(e){}%20%20%20try{%20return%20new%20XMLHttpRequest();%20}catch(e){}%20%20%20return%20null;}var%20xhr%20=%20createXMLHttpRequest();xhr.onreadystatechange%20=%20function(){%20%20%20%20if%20(xhr.readyState%20==%204)%20%20%20%20%20%20%20%20alert(xhr.responseText);};xhr.open('GET',%20'http://www.google.com',%20true);xhr.send(null);↗
- →Monitor HTTP requests originating from the Adobe Reader browser plugin that contain FDF, xml, or xfdf parameters in the URL fragment (after the # character), as these can be used to trigger unauthorized cross-site AJAX requests. ↗
- →Detect PDF URLs in browser traffic where the fragment identifier (#) is followed by FDF=, xml=, or xfdf= parameters pointing to external URLs, indicating a CSRF/session-riding exploitation attempt via the Acrobat Reader plugin. ↗
- →Detect JavaScript execution payloads embedded in PDF URL fragments using the pattern: .pdf#<param>=javascript: — particularly targeting ActiveXObject('Msxml2.XMLHTTP') or XMLHttpRequest instantiation for unauthorized cross-origin requests. ↗
- ·The vulnerability affects Adobe Acrobat Reader Plugin versions before 8.0.0; versions 6 and 7 (up to and including 7.0.9) are confirmed vulnerable across Firefox, Internet Explorer, and Opera browsers. ↗
- ·The same CSRF/session-riding effect is achievable using any of three parameter names (FDF, xml, xfdf) in the URL fragment, so detection rules must cover all three variants. ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Acrobat Reader Universal CSRF and session riding
vendor_redhat·2007-01-03·CVSS 4.3
CVE-2007-0044 [MEDIUM] CWE-352 Acrobat Reader Universal CSRF and session riding
Acrobat Reader Universal CSRF and session riding
Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make unauthorized requests to other web sites via a URL in the (1) FDF, (2) xml, and (3) xfdf AJAX request parameters, following the # (hash) character, aka "Universal CSRF and session riding."
GHSA
GHSA-f39f-q7vr-84pm: Adobe Acrobat Reader Plugin before 8
ghsa_unreviewed·2022-05-01
CVE-2007-0044 [MEDIUM] CWE-352 GHSA-f39f-q7vr-84pm: Adobe Acrobat Reader Plugin before 8
Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make unauthorized requests to other web sites via a URL in the (1) FDF, (2) xml, and (3) xfdf AJAX request parameters, following the # (hash) character, aka "Universal CSRF and session riding."
No detection rules found.
Bugzilla
CVE-2007-0494 BIND dnssec denial of service
bugzilla·2007-01-29·CVSS 4.3
CVE-2007-0494 [MEDIUM] CVE-2007-0494 BIND dnssec denial of service
CVE-2007-0494 BIND dnssec denial of service
ISC has reported a bug in BIND which could cause a server using dnssec
validation to crash when processing a type * (ANY) DNS query response that
contains multiple RRsets.
This flaw should also affects RHEL 2 and 3.
Discussion:
*** Bug 227468 has been marked as a duplicate of this bug. ***
---
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2007-0044.html
Bugzilla
CVE-2007-0044 Acrobat Reader Universal CSRF and session riding
bugzilla·2007-01-17·CVSS 4.3
CVE-2007-0044 [MEDIUM] CVE-2007-0044 Acrobat Reader Universal CSRF and session riding
CVE-2007-0044 Acrobat Reader Universal CSRF and session riding
Adobe Acrobat Reader versions 7.0.9 and below suffers from a flaw which can
allow a malicious web page to launch a session riding attack on a site via the
Acrobat Reader plugin. Here is a quote from the original advisory:
1. Universal CSRF and session riding
This is probably Adobe related as all tested browsers (IE,Firefox,Opera) where
affected. The issue is that by creating a special link like this:
http://site.com/file.pdf#FDF=http://victim.com/index.html?param=
automatically Adobe plugin sends a request to 'victim.com' without user
interaction asking for defined page in 'fdf' parameter. This could be used as a
Universal Session Riding (aka UCSRF) attack which is a well known vulnerability.
Note that the same effect is
http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdfhttp://lists.suse.com/archive/suse-security-announce/2007-Jan/0012.htmlhttp://secunia.com/advisories/23812http://secunia.com/advisories/23882http://secunia.com/advisories/29065http://security.gentoo.org/glsa/glsa-200701-16.xmlhttp://securityreason.com/securityalert/2090http://securitytracker.com/id?1017469http://www.redhat.com/support/errata/RHSA-2008-0144.htmlhttp://www.securityfocus.com/archive/1/455801/100/0/threadedhttp://www.securityfocus.com/bid/21858http://www.vupen.com/english/advisories/2007/0032http://www.wisec.it/vulns.php?page=9https://exchange.xforce.ibmcloud.com/vulnerabilities/31266https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10042http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdfhttp://lists.suse.com/archive/suse-security-announce/2007-Jan/0012.htmlhttp://secunia.com/advisories/23812http://secunia.com/advisories/23882http://secunia.com/advisories/29065http://security.gentoo.org/glsa/glsa-200701-16.xmlhttp://securityreason.com/securityalert/2090http://securitytracker.com/id?1017469http://www.redhat.com/support/errata/RHSA-2008-0144.htmlhttp://www.securityfocus.com/archive/1/455801/100/0/threadedhttp://www.securityfocus.com/bid/21858http://www.vupen.com/english/advisories/2007/0032http://www.wisec.it/vulns.php?page=9https://exchange.xforce.ibmcloud.com/vulnerabilities/31266https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10042
2007-01-03
Published