| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 11 Feb 2007 20:15:53 +0000 From: "pdp (architect)" <pdp.gnucitizen@...glemail.com> To: "Michal Zalewski" <lcamtuf@...ne.ids.pl> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: Firefox focus stealing vulnerability (possibly other browsers) what's up Michal, IE is vulnerable too, since I used to play around with this bug long time ago. It is a variation of your exploit but the principles are the same. I don't remember where I've read about it... hmm I guess securityfocus.com... very nice demo. On 2/11/07, Michal Zalewski <lcamtuf@...ne.ids.pl> wrote: > There is an interesting logic flaw in Mozilla Firefox web browser. > > The vulnerability allows the attacker to silently redirect focus of > selected key press events to an otherwise protected file upload form > field. This is possible because of how onKeyDown / onKeyPress events are > handled, allowing the focus to be moved between the two. If exploited, > this enables the attacker to read arbitrary files on victim's system. > > This was tested with 2.0.0.1. Opera is most likely not vulnerable; > Microsoft Internet Explorer is not vulnerable as-is, but might be > vulnerable to a variant of the attack. > > All INPUT TYPE=FILE form fields enjoy the benefits of added protection to > prvent scripts from arbitrarily choosing local files to be uploaded to the > server, and automatically submitting the form. For example, .value > parameter cannot be set or changed, and any changes to .type reset the > contents of the field. > > Unfortunately, Firefox allows a malicious script to redirect carefully > selected, individual user keystrokes to a hidden file upload field, in > order to compose a particular filename, then submit the form. User > interaction is required, limiting the impact somewhat - but any website > where the user can be reasonably expected to enter some text (a > keyboard-controlled web game, a blog posting or commenting interface) can > attempt to exploit the vulnerability, and eventually succeed with one user > or another. > > A quick and naive demonstration of the problem (Firefox on Windows is > required; depends on scancode values, so not all keyboards may be > supported): > > http://lcamtuf.coredump.cx/focusbug/ > > (Ta-dah again) > > /mz > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- pdp (architect) | petko d. petkov http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists