[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0706302303420.4326@dione>
Date: Sat, 30 Jun 2007 23:13:07 +0200 (CEST)
From: Michal Zalewski <lcamtuf@...ne.ids.pl>
To: Joseph Hick <leet16y@...oo.com>
Cc: Full-Disclosure@...ts.grok.org.uk
Subject: Re: New flaw found in Firefox 2.0.0.4: Firefox
file input focus vulnerabilities
On Sat, 30 Jun 2007, Joseph Hick wrote:
> This doesn't seem like a security flaw to me.
This is somewhat similar to my focus stealing bugs described here:
http://lcamtuf.coredump.cx/focusbug/
...though seems to work on patched Firefox because of a clever use of
label-based aliasing.
Now, the vulnerability For security reasons, value of file input field
cannot be specified in HTML or set scriptually (otherwise, you could then
just do submit() and have a file uploaded without user's consent) - and we
want it to stay that way.
Still, file input field can be hidden off-screen and the victim might be
not aware of its presence or contents. Now, if a malicious web page can
selectively redirect certain keystrokes to a hidden field of this type,
while giving the user an impression he's actually typing a web forum post,
playing a game, performing a search, or whatnot, with a visible feedback
elsewhere on the webpage - we're in trouble: once a desired file name is
collected, the script can have the form submitted, complete with victim's
file of attacker's liking.
Non-trivial user interaction is required, of course, but it's not terribly
difficult to solicit some.
Cheers,
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists