lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <6905b1570702121603q4d204754n8ef8bf536d4c3e08@mail.gmail.com>
Date: Tue, 13 Feb 2007 00:03:16 +0000
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: "Michal Zalewski" <lcamtuf@...ne.ids.pl>
Cc: full-disclosure@...ts.grok.org.uk,
	Claus Färber <GMANE@...rber.muc.de>,
	bugtraq@...urityfocus.com
Subject: Re: Firefox focus stealing vulnerability
	(possibly other browsers)

explanation of how the attack works here:

http://www.gnucitizen.org/blog/browser-focus-rip

On 2/12/07, Michal Zalewski <lcamtuf@...ne.ids.pl> wrote:
> On Mon, 12 Feb 2007, [ISO-8859-1] Claus Färber wrote:
>
> > A proper solution would be to keep a list of files explicitly selected
> > by the user and only allow uploads of files in this list. Then even if a
> > script can manipulate the field, the browser won't upload files that
> > have not been selected by the user.
>
> Not necessarily that easy: notice that it is the user who enters the name
> of a target file.
>
> Unless you want to prevent the browser from accepting any files that were
> not chosen using a visual file selector widget - but in such a case,
> there's not much point in having a manual file path entry box in the first
> place.
>
> /mz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ