Closed
Bug 29517
Opened 25 years ago
Closed 24 years ago
File upload vulnerability using event.target
Categories
(Core :: Security, defect, P3)
Tracking
()
VERIFIED
FIXED
M14
People
(Reporter: norrisboyd, Assigned: joki)
References
()
Details
(Whiteboard: [nsbeta2+])
It is possible a script to set the value of a file upload control usig event handlers and event.target. This allows stealing files. The code is: ------------------------------------------------------------ <INPUT ID="F1" NAME="F1" TYPE="FILE" onmouseover="event.target.value='C:\\AUTOEXEC.BAT';document.forms[0].submit()"> ------------------------------------------------------------
Reporter | ||
Updated•25 years ago
|
Group: netscapeconfidential?
Status: NEW → ASSIGNED
Target Milestone: M14
Reporter | ||
Updated•25 years ago
|
Reporter | ||
Comment 1•25 years ago
|
||
The code designed to protect against uploading a file without the user's permission looks for a value of "type" equal to NS_FORM_INPUT_FILE. This check occurs in nsHTMLInputElement::SetValue. The code is fooled: the value of "type" is either NS_FORM_INPUT_TEXT or NS_FORM_INPUT_BUTTON. I talked with Vidur and he says the problem lies with anonymous content. He suggested extra code in HandleDOMEvent for input elements during the bubble phase that would check for a type of NS_FORM_INPUT_FILE and set the target to itself. I'm not familiar enough with events that I'd feel comfortable fixing it myself... Reassigning to joki and cc'ing evaughan.
Assignee: norris → joki
Severity: normal → critical
Status: ASSIGNED → NEW
Comment 3•24 years ago
|
||
So, based on the keyword, i'd say this isn't really an m14 bug... someone care to move it out?
Assignee | ||
Comment 6•24 years ago
|
||
Fix in hand, reviewed by hyatt, will checkin today.
Whiteboard: [nsbeta2+] → [nsbeta2+] fix in hand
Assignee | ||
Comment 8•24 years ago
|
||
Hyatt and I discussed a more generic solution to this issue but we think it will take some time. Decided to apply the fix to file control only and work on generic fix later. so this bug is fixed as it only covers the security hole via the file control.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Whiteboard: [nsbeta2+] fix in hand → [nsbeta2+]
You need to log in
before you can comment on or make changes to this bug.
Description
•