Closed Bug 29517 Opened 25 years ago Closed 24 years ago

File upload vulnerability using event.target

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Other
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: norrisboyd, Assigned: joki)

References

(
URL
)

Details

(Whiteboard: [nsbeta2+]) 

It is possible a script to set the value of a file upload control usig event
handlers and event.target. This allows stealing files. The code is:
------------------------------------------------------------
<INPUT ID="F1" NAME="F1" TYPE="FILE"
onmouseover="event.target.value='C:\\AUTOEXEC.BAT';document.forms[0].submit()">
------------------------------------------------------------
Group: netscapeconfidential?
Status: NEW → ASSIGNED
Target Milestone: M14
The code designed to protect against uploading a file without the user's 
permission looks for a value of "type" equal to NS_FORM_INPUT_FILE. This check 
occurs in nsHTMLInputElement::SetValue. The code is fooled: the value of "type" 
is either NS_FORM_INPUT_TEXT or NS_FORM_INPUT_BUTTON. 

I talked with Vidur and he says the problem lies with anonymous content. He 
suggested extra code in HandleDOMEvent for input elements during the bubble 
phase that would check for a type of NS_FORM_INPUT_FILE and set the target to 
itself. I'm not familiar enough with events that I'd feel comfortable fixing it 
myself... Reassigning to joki and cc'ing evaughan.
Assignee: norris → joki
Severity: normal → critical
Status: ASSIGNED → NEW
Add beta2 keyword for this exploit.
Keywords: beta2
So, based on the keyword, i'd say this isn't really an m14 bug... someone care
to move it out?
Keywords: nsbeta2
Putting on [nsbeta2+] radar.
Keywords: beta2
Whiteboard: [nsbeta2+]
Changed QA contact to Cathy.
QA Contact: junruh → czhang
Fix in hand, reviewed by hyatt, will checkin today.
Whiteboard: [nsbeta2+] → [nsbeta2+] fix in hand
*** Bug 42515 has been marked as a duplicate of this bug. ***
Hyatt and I discussed a more generic solution to this issue but we think it will 
take some time.  Decided to apply the fix to file control only and work on 
generic fix later.  so this bug is fixed as it only covers the security hole via 
the file control.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Whiteboard: [nsbeta2+] fix in hand → [nsbeta2+]
verified.
Status: RESOLVED → VERIFIED
Opening fixed security bugs to the public.
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.