lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <004701c2f0e1$5e77c2d0$dd6ffea9@v>
Date: Sun, 23 Mar 2003 03:10:25 +0100
From: "Adam [ckkl]" <ckkl@...zta.wp.pl>
To: <bugtraq@...urityfocus.com>
Subject: IE - reading local files


Hello,

I don't know if anybody pointed it out before...

While playing with IE [6.0] I found out that 
it is possible to read local files with a little
help of user...

How it works?
1. IE lets you define style for the INPUT type=file tag
    including clipping region what makes possible to 
    hide the "Browse..." button.

2. IE lets you handle 3 events
    - ondragstart
    - ondrag
    - ondragend
   for misc  tags like DIV, INPUT, IMG and others

3. IE lets you change the content of the INPUT after
   the user started to drag it

Screenplay:
- user selects text in source INPUT
- user starts to drag text
- ondragstart event is fired
- the function takes control
  and changes the content
  of the source INPUT
- user drops the text in
  the uploading INPUT control
- ondragend event is fired
- function takes control and 
  submits the form at once

Exploit:
    - create the INPUT uploading control (type=file)
    - change its style to make it look innocent
      [remove border, clip the 'Browse...'button]
    - create the source INPUT control and make it 
      look like an innocent text [no borders, no focus]
    - write a simple handler for drag* events
      - it will change the content of the source INPUT 
       control to anything we want, f.ex.local filename
    - seduce user (f.ex. some kind of drag&drop 
      JavaScript game) to select text and drag it 
      into uploading control area and when
      it's done (ondragend), submit the form and this 
      way send the file to the server

Proof of concept:
http://www.sztolnia.pl/hack/dragquIEn/dragquIEn.html

Best Regards
Adam Blaszczyk
reverser, coder, writer & researcher  [VX/AV]
http://www.symantec.com (Localization Engineer)
http://www.mykakee.com (Home page)
Whatever I say in this e-mail is my private opinion.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ