lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon Jun 12 19:22:22 2006
From: cmcauley at imperfectnetworks.com (Charles McAuley)
Subject: file upload widgets in IE and Firefox have
	issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Danny wrote:
> Hi ,
> 
> I read your article , but since I am not at all at home when scripting
> comes up,I still am wondering what this issue is exactly.
> 
My web-foo is not that strong either.
Bart van Arnhem made a much better example in IE than I did.
as he says, just simply bang on the keyboard alot.  make sure to press
the : char and the \ char for a full string.  You'll eventually see
c:\boot.ini appear.

> Could you give me an example as to clarify things for a non ? English
> speaking fella?
> 

In this wonderful, everything is the web driven world, its entirely
possibly that you might type enough text into a web-application in order
to filter out all the keys necessary to upload an arbitrary file off of
a computer.  For instance, into your web mail, or experts-exchange
forums, or google's new spreadsheet app, or a typing tutor program.

Is this a big a deal?  It depends entirely on your web surfing habits.


> Also ,what is this ?file input box??Are these the boxes in forms where
> one is supposed to fill in the name,address, password, etc?
> 

its the input widget...
<input type="file" name="uploadme" >
where you choose a file to upload from YOUR computer to a WEBSERVER.


> Sorry for not understanding it completely , it seems to me you have been
> busy digging out stuff the programmers should have checked in the first
> place.
> 

These flaws were reported a year ago, confirmed, and ignored by both
Mozilla and Microsoft.  I marked the bug on mozilla's site with the
security flag, it was their call to remove it.  Also, I wasn't the first
or last person to find this problem _independently_.  This has been
known to the Mozilla group since 2000.  Surely they could have done
something by now?

After a year, I figured I'd just let other people know about, maybe then
it would get fixed.  Do I think this is a huge gaping security hole?
Not right now, but Bart's code definitely shows what can be done if
other people keep banging away.

I'd like to repeat myself on that last point.
Security Impact: Minor

> Nice job there , I just hope I can fully understand it.
> 
> Kind regards,
> 
> Danny
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEjbDJyZFfwQJZqy8RAuDlAJ4uWUEEkDuPiNOZr9v2H9M7E63ayQCdEToT
S/Q3tXdbTxqOLdbDUA+IaFA=
=UJw+
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists