carl hardwick wrote: > PoC here: http://yathong.googlepages.com/FirefoxFocusBug.html > > The vulnerability allows the attacker to silently redirect focus of > selected key press events to an otherwise protected file upload form > field. This is possible because of how onKeyDown event is handled, > allowing the focus to be moved between the two. This enables the > attacker to read arbitrary files on victim's system.
many thanks for sharing this : ) it's a pretty serious vulnerability as said by Zalewski regards, Francesco `ascii` Ongaro http://www.ush.it _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/