lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6905b1570702111215ie807c52t4b60d74c9c090e0a@mail.gmail.com>
Date: Sun, 11 Feb 2007 20:15:53 +0000
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: "Michal Zalewski" <lcamtuf@...ne.ids.pl>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Firefox focus stealing vulnerability (possibly other browsers)

what's up Michal,

IE is vulnerable too, since I used to play around with this bug long
time ago. It is a variation of your exploit but the principles are the
same. I don't remember where I've read about it... hmm I guess
securityfocus.com...  very nice demo.

On 2/11/07, Michal Zalewski <lcamtuf@...ne.ids.pl> wrote:
> There is an interesting logic flaw in Mozilla Firefox web browser.
>
> The vulnerability allows the attacker to silently redirect focus of
> selected key press events to an otherwise protected file upload form
> field. This is possible because of how onKeyDown / onKeyPress events are
> handled, allowing the focus to be moved between the two. If exploited,
> this enables the attacker to read arbitrary files on victim's system.
>
> This was tested with 2.0.0.1. Opera is most likely not vulnerable;
> Microsoft Internet Explorer is not vulnerable as-is, but might be
> vulnerable to a variant of the attack.
>
> All INPUT TYPE=FILE form fields enjoy the benefits of added protection to
> prvent scripts from arbitrarily choosing local files to be uploaded to the
> server, and automatically submitting the form. For example, .value
> parameter cannot be set or changed, and any changes to .type reset the
> contents of the field.
>
> Unfortunately, Firefox allows a malicious script to redirect carefully
> selected, individual user keystrokes to a hidden file upload field, in
> order to compose a particular filename, then submit the form. User
> interaction is required, limiting the impact somewhat - but any website
> where the user can be reasonably expected to enter some text (a
> keyboard-controlled web game, a blog posting or commenting interface) can
> attempt to exploit the vulnerability, and eventually succeed with one user
> or another.
>
> A quick and naive demonstration of the problem (Firefox on Windows is
> required;  depends on scancode values, so not all keyboards may be
> supported):
>
>   http://lcamtuf.coredump.cx/focusbug/
>
> (Ta-dah again)
>
> /mz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ