| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 Jun 2007 23:13:07 +0200 (CEST) From: Michal Zalewski <lcamtuf@...ne.ids.pl> To: Joseph Hick <leet16y@...oo.com> Cc: Full-Disclosure@...ts.grok.org.uk Subject: Re: New flaw found in Firefox 2.0.0.4: Firefox file input focus vulnerabilities On Sat, 30 Jun 2007, Joseph Hick wrote: > This doesn't seem like a security flaw to me. This is somewhat similar to my focus stealing bugs described here: http://lcamtuf.coredump.cx/focusbug/ ...though seems to work on patched Firefox because of a clever use of label-based aliasing. Now, the vulnerability For security reasons, value of file input field cannot be specified in HTML or set scriptually (otherwise, you could then just do submit() and have a file uploaded without user's consent) - and we want it to stay that way. Still, file input field can be hidden off-screen and the victim might be not aware of its presence or contents. Now, if a malicious web page can selectively redirect certain keystrokes to a hidden field of this type, while giving the user an impression he's actually typing a web forum post, playing a game, performing a search, or whatnot, with a visible feedback elsewhere on the webpage - we're in trouble: once a desired file name is collected, the script can have the form submitted, complete with victim's file of attacker's liking. Non-trivial user interaction is required, of course, but it's not terribly difficult to solicit some. Cheers, /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists