Oops...PDF, keep an eye on it!

From pdp
"You must understand that the attacker doesn’t need to have write access to the specified PDF document. In order to get an XSS vector working you need to have a PDF file hosted on the target and that’s all about it. The rest is just a matter of your abilities and desires.

This finding was originally mentioned by Sven Vetsch, on his blog. The attack vector was discovered by Stefano Di Paola and Giorgio Fedon. This is a very good and quite interesting finding. Good work."

A Poc:
http://some.random.site.com/foo.pdf#something=javascript:alert(123);

Couple variants:
1. Universal CSRF / session riding;
(Mozilla Firefox, Internet Explorer, Opera + Acrobat Reader plugin)

2. UXSS in #FDF, #XML e #XFDF;
(Mozilla Firefox + Acrobat Reader plugin)

3. Possible Remote Code Execution;
(Mozilla Firefox + Acrobat Reader plugin)

4. Denial of Service;
(Internet Explorer + Acrobat Reader plugin)

Details @ http://www.wisec.it/vulns.php?page=9

Very interesting and dangerous bug, don't simply click pdf from now on. If you really need to download pdf, keep an eye on the url, strip extra parameters if there is any. Dangerous, Dangerous, Dangerous! Web is getting really crazy, sigh