| ▲ | Shared404 19 hours ago |
| PDF also has script support unfortunately. |
|
| ▲ | mikkupikku 19 hours ago | parent | next [-] |
| That's apparently how 4chan got hacked a while back. They were letting users upload PDFs and were using ghostscript to generate thumbnails. From what I understand, the hackers uploaded a PDF which contained PostScript which exploited a ghostscript bug. |
| |
|
| ▲ | jonahx 18 hours ago | parent | prev [-] |
| Does that mean that opening arbitrary pdfs on your laptop is unsafe? |
| |
| ▲ | Sohcahtoa82 18 hours ago | parent | next [-] | | Let me put it this way... In one of my penetration testing training classes, in one of the lessons, we generated a malicious PDF file that would give us a shell when the victim opened it in Adobe. Granted, it relied on a specific bug in the JavaScript engine of Adobe Reader, so unless they're using a version that's 15 years old, it wouldn't work today, but you can't be too cautious. 0-days can always exist. | |
| ▲ | bmacho 18 hours ago | parent | prev [-] | | Yes, opening random pdfs especially in random and old pdf viewers is not a good idea. If you must open a possibly infected pdf, then do it in browser, pdf.js is considered mostly safe, and updated. | | |
| ▲ | rvnx 15 hours ago | parent [-] | | Use the PDF to JPG online services, convenient and you still get your result without having to deal with any sandbox | | |
| ▲ | bpt3 14 hours ago | parent [-] | | Except of course that you're sharing the contents of that PDF with a random online service. | | |
| ▲ | rvnx 14 hours ago | parent [-] | | True, I just considered that once you handle a PDF with so much care like if it was poisoned, it's perhaps better to send this poison to someone else to handle. |
|
|
|
|
