Closed Bug 29517 Opened 25 years ago Closed 25 years ago

File upload vulnerability using event.target

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Other
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: norrisboyd, Assigned: joki)

References

(
URL
)

Details

(Whiteboard: [nsbeta2+])

It is possible a script to set the value of a file upload control usig event handlers and event.target. This allows stealing files. The code is: ------------------------------------------------------------ <INPUT ID="F1" NAME="F1" TYPE="FILE" onmouseover="event.target.value='C:\\AUTOEXEC.BAT';document.forms[0].submit()"> ------------------------------------------------------------
Group: netscapeconfidential?
Status: NEW → ASSIGNED
Target Milestone: M14
The code designed to protect against uploading a file without the user's permission looks for a value of "type" equal to NS_FORM_INPUT_FILE. This check occurs in nsHTMLInputElement::SetValue. The code is fooled: the value of "type" is either NS_FORM_INPUT_TEXT or NS_FORM_INPUT_BUTTON. I talked with Vidur and he says the problem lies with anonymous content. He suggested extra code in HandleDOMEvent for input elements during the bubble phase that would check for a type of NS_FORM_INPUT_FILE and set the target to itself. I'm not familiar enough with events that I'd feel comfortable fixing it myself... Reassigning to joki and cc'ing evaughan.
Assignee: norris → joki
Severity: normal → critical
Status: ASSIGNED → NEW
Add beta2 keyword for this exploit.
Keywords: beta2
So, based on the keyword, i'd say this isn't really an m14 bug... someone care to move it out?
Keywords: nsbeta2
Putting on [nsbeta2+] radar.
Keywords: beta2
Whiteboard: [nsbeta2+]
Changed QA contact to Cathy.
QA Contact: junruh → czhang
Fix in hand, reviewed by hyatt, will checkin today.
Whiteboard: [nsbeta2+] → [nsbeta2+] fix in hand
*** Bug 42515 has been marked as a duplicate of this bug. ***
Hyatt and I discussed a more generic solution to this issue but we think it will take some time. Decided to apply the fix to file control only and work on generic fix later. so this bug is fixed as it only covers the security hole via the file control.
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Whiteboard: [nsbeta2+] fix in hand → [nsbeta2+]
verified.
Status: RESOLVED → VERIFIED
Opening fixed security bugs to the public.
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.