| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Feb 2007 00:03:16 +0000 From: "pdp (architect)" <pdp.gnucitizen@...glemail.com> To: "Michal Zalewski" <lcamtuf@...ne.ids.pl> Cc: "Claus Färber" <GMANE@...rber.muc.de>, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: [Full-disclosure] Firefox focus stealing vulnerability (possibly other browsers) explanation of how the attack works here: http://www.gnucitizen.org/blog/browser-focus-rip On 2/12/07, Michal Zalewski <lcamtuf@...ne.ids.pl> wrote: > On Mon, 12 Feb 2007, [ISO-8859-1] Claus Färber wrote: > > > A proper solution would be to keep a list of files explicitly selected > > by the user and only allow uploads of files in this list. Then even if a > > script can manipulate the field, the browser won't upload files that > > have not been selected by the user. > > Not necessarily that easy: notice that it is the user who enters the name > of a target file. > > Unless you want to prevent the browser from accepting any files that were > not chosen using a visual file selector widget - but in such a case, > there's not much point in having a manual file path entry box in the first > place. > > /mz > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- pdp (architect) | petko d. petkov http://www.gnucitizen.org
Powered by blists - more mailing lists