what's up Michal, IE is vulnerable too, since I used to play around with this bug long time ago. It is a variation of your exploit but the principles are the same. I don't remember where I've read about it... hmm I guess securityfocus.com... very nice demo.
On 2/11/07, Michal Zalewski <[EMAIL PROTECTED]> wrote: > There is an interesting logic flaw in Mozilla Firefox web browser. > > The vulnerability allows the attacker to silently redirect focus of > selected key press events to an otherwise protected file upload form > field. This is possible because of how onKeyDown / onKeyPress events are > handled, allowing the focus to be moved between the two. If exploited, > this enables the attacker to read arbitrary files on victim's system. > > This was tested with 2.0.0.1. Opera is most likely not vulnerable; > Microsoft Internet Explorer is not vulnerable as-is, but might be > vulnerable to a variant of the attack. > > All INPUT TYPE=FILE form fields enjoy the benefits of added protection to > prvent scripts from arbitrarily choosing local files to be uploaded to the > server, and automatically submitting the form. For example, .value > parameter cannot be set or changed, and any changes to .type reset the > contents of the field. > > Unfortunately, Firefox allows a malicious script to redirect carefully > selected, individual user keystrokes to a hidden file upload field, in > order to compose a particular filename, then submit the form. User > interaction is required, limiting the impact somewhat - but any website > where the user can be reasonably expected to enter some text (a > keyboard-controlled web game, a blog posting or commenting interface) can > attempt to exploit the vulnerability, and eventually succeed with one user > or another. > > A quick and naive demonstration of the problem (Firefox on Windows is > required; depends on scancode values, so not all keyboards may be > supported): > > http://lcamtuf.coredump.cx/focusbug/ > > (Ta-dah again) > > /mz > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- pdp (architect) | petko d. petkov http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
