lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 24 Mar 2003 17:28:45 +0100
From: "jelmer" <jelmer@...erus.xs4all.nl>
To: "Adam [ckkl]" <ckkl@...zta.wp.pl>, <bugtraq@...urityfocus.com>
Subject: Re: IE - reading local files


>> I don't know if anybody pointed it out before... 

yes i did, see http://msgs.securepoint.com/cgi-bin/get/bugtraq0302/12.html


----- Original Message ----- 
From: "Adam [ckkl]" <ckkl@...zta.wp.pl>
To: <bugtraq@...urityfocus.com>
Sent: Sunday, March 23, 2003 3:10 AM
Subject: IE - reading local files


> Hello,
> 
> I don't know if anybody pointed it out before...
> 
> While playing with IE [6.0] I found out that 
> it is possible to read local files with a little
> help of user...
> 
> How it works?
> 1. IE lets you define style for the INPUT type=file tag
>     including clipping region what makes possible to 
>     hide the "Browse..." button.
> 
> 2. IE lets you handle 3 events
>     - ondragstart
>     - ondrag
>     - ondragend
>    for misc  tags like DIV, INPUT, IMG and others
> 
> 3. IE lets you change the content of the INPUT after
>    the user started to drag it
> 
> Screenplay:
> - user selects text in source INPUT
> - user starts to drag text
> - ondragstart event is fired
> - the function takes control
>   and changes the content
>   of the source INPUT
> - user drops the text in
>   the uploading INPUT control
> - ondragend event is fired
> - function takes control and 
>   submits the form at once
> 
> Exploit:
>     - create the INPUT uploading control (type=file)
>     - change its style to make it look innocent
>       [remove border, clip the 'Browse...'button]
>     - create the source INPUT control and make it 
>       look like an innocent text [no borders, no focus]
>     - write a simple handler for drag* events
>       - it will change the content of the source INPUT 
>        control to anything we want, f.ex.local filename
>     - seduce user (f.ex. some kind of drag&drop 
>       JavaScript game) to select text and drag it 
>       into uploading control area and when
>       it's done (ondragend), submit the form and this 
>       way send the file to the server
> 
> Proof of concept:
> http://www.sztolnia.pl/hack/dragquIEn/dragquIEn.html
> 
> Best Regards
> Adam Blaszczyk
> reverser, coder, writer & researcher  [VX/AV]
> http://www.symantec.com (Localization Engineer)
> http://www.mykakee.com (Home page)
> Whatever I say in this e-mail is my private opinion.
> 


Powered by blists - more mailing lists