Closed Bug 304480 Opened 15 years ago Closed 15 years ago
Filtered user input can be used to steal local files
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Stealing files using automated form upload is a really old idea. There are various security checks to prevent this, but using redirection of user input we can still steal arbitrary local files. This is possible since the onkeydown event (unlike the onkeypress event) on a file input field can be used to read the keyCode a user is going to enter. By only allowing certain characters in a certain order (by returning false on keyCodes we don't want) we can create arbitrary strings. The longer the user given text, the better the chance we can create a good path out of it. Beside the given proof-of-concept a perfect field for exploits would be any kind of web based email, blogging or messaging system where users insert a lot of text. See the testcase source code for further details and some possible issues with keyboard layouts (testcase will probably only work with english and german keyboard layouts). Reproducible: Always Steps to Reproduce: 1. Open http://bugzilla:cZ3l9eS@www.mikx.de/firestealing/ 2. Follow instructions
*** This bug has been marked as a duplicate of 56236 ***
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.