lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.58.0706302303420.4326@dione>
Date: Sat, 30 Jun 2007 23:13:07 +0200 (CEST)
From: Michal Zalewski <lcamtuf@...ne.ids.pl>
To: Joseph Hick <leet16y@...oo.com>
Cc: Full-Disclosure@...ts.grok.org.uk
Subject: Re: New flaw found in Firefox 2.0.0.4: Firefox
 file input focus vulnerabilities

On Sat, 30 Jun 2007, Joseph Hick wrote:

> This doesn't seem like a security flaw to me.

This is somewhat similar to my focus stealing bugs described here:

  http://lcamtuf.coredump.cx/focusbug/

...though seems to work on patched Firefox because of a clever use of
label-based aliasing.

Now, the vulnerability For security reasons, value of file input field
cannot be specified in HTML or set scriptually (otherwise, you could then
just do submit() and have a file uploaded without user's consent) - and we
want it to stay that way.

Still, file input field can be hidden off-screen and the victim might be
not aware of its presence or contents. Now, if a malicious web page can
selectively redirect certain keystrokes to a hidden field of this type,
while giving the user an impression he's actually typing a web forum post,
playing a game, performing a search, or whatnot, with a visible feedback
elsewhere on the webpage - we're in trouble: once a desired file name is
collected, the script can have the form submitted, complete with victim's
file of attacker's liking.

Non-trivial user interaction is required, of course, but it's not terribly
difficult to solicit some.

Cheers,
/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ