User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:126.96.36.199) Gecko/20071127 Firefox/188.8.131.52 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:184.108.40.206) Gecko/20071127 Firefox/220.127.116.11 By creating a "MouseEvent" and using dispatchEvent to send a "click" to a file input element or a label associated with the file, the focus can be set on the text portion of the file input. This can be used to selectively capture keystrokes and construct a path that can be used to upload arbitrary files from a user's computer. By sending the click as an event, the focus restrictions in bug #370092 can be bypassed. An alternate approach is to use the observation in bug #404391 and send click to an additional input element nested inside of the label. Reproducible: Always User agents tested: - Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:18.104.22.168) Gecko/20071127 Firefox/22.214.171.124 - Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:126.96.36.199) Gecko/20071127 Firefox/188.8.131.52 - Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:184.108.40.206pre) Gecko/20071211 BonEcho/220.127.116.11pre - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168) Gecko/20071127 Firefox/22.214.171.124 - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:126.96.36.199pre) Gecko/20071211 BonEcho/188.8.131.52pre
Created attachment 292732 [details] Test case and file stealing demo Attached test-case and file stealing demo.
The attachment contains a test case (simple-click.html) and file stealing demo (plausible.html + upload.cgi). The simple-click.html file demonstrates how any of the elements in the grey box (label, file input and text input) can be sent a "click" mouse event. Any keystrokes entered in the textarea will be transfered to the file input text field. No attempt is made to filter key strokes. The plausible.html file demonstrates how an actual attack could be constructed. The layout presented is similar to many blog comment sections. All of the fields are hooked so any keystroke that is entered can be used. Once the desired file is matched, the form would be automatically submitted. The two files in the demo are "/etc/hosts" on Linux and Mac OS X and "c:\boot.ini" on Windows. Using a special set of captchas, any well known file could be targeted. For instance, an attack under Windows could include the 'c', ':', and '\' characters. Multiple failures could be generated to capture the necessary keystrokes by refreshing the image via XMLHttpRequest. Some potential well known targets on Linux or Mac OS X would be "/etc/passwd" or "~/.gnupg/secring.gpg". The demo is standalone by default, but the 'upload.cgi' Perl CGI script can be used to actually submit the file.
Gregory, thanks for the bug report, but this turns out to be already reported, bug 405299.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 405299
making this "block" 184.108.40.206 so this bug stays in our queries for verification that it really is the same thing.
Whiteboard: [sg:dupe 405299]
I've checked this in Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:220.127.116.11) Gecko/2008012822 Firefox/18.104.22.168. It no longer shows the matching (in green highlighting) for '/etc/hosts'. Based on the other demos from this same series of issues, I believe that means that the problem is fixed. Can you confirm that this is a correct assumption, Gregory (or Dan)?
Yes, that is a mostly correct assumption. This bug had a different root cause (ability to programmatically send click events to set focus) which was fixed in bug 405299. The mechanism by which this bug was exploited (selectively canceling keystrokes) was fixed in bug 413135. In either case, this bug has been fixed. I tested this with Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:22.214.171.124pre) Gecko/20080130 BonEcho/126.96.36.199pre.
Ok, thanks Gregory! Marking verified188.8.131.52 then.
Keywords: fixed184.108.40.206 → verified220.127.116.11
You need to log in before you can comment on or make changes to this bug.