Closed Bug 304480 Opened 15 years ago Closed 15 years ago

Filtered user input can be used to steal local files

Categories

(Firefox :: General, defect)

defect
Not set

Tracking

()

VERIFIED DUPLICATE of bug 56236

People

(Reporter: mikx, Unassigned)

References

()

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Stealing files using automated form upload is a really old idea. There are
various security checks to prevent this, but using redirection of user input we
can still steal arbitrary local files. 

This is possible since the onkeydown event (unlike the onkeypress event) on a
file input field can be used to read the keyCode a user is going to enter. By
only allowing certain characters in a certain order (by returning false on
keyCodes we don't want) we can create arbitrary strings.

The longer the user given text, the better the chance we can create a good path
out of it.  Beside the given proof-of-concept a perfect field for exploits would
be any kind of web based email, blogging or messaging system where users insert
a lot of text.

See the testcase source code for further details and some possible issues with
keyboard layouts (testcase will probably only work with english and german
keyboard layouts).

Reproducible: Always

Steps to Reproduce:
1. Open http://bugzilla:cZ3l9eS@www.mikx.de/firestealing/
2. Follow instructions

*** This bug has been marked as a duplicate of 56236 ***
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Group: security
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.