Closed
Bug 408034
Opened 17 years ago
Closed 17 years ago
"click" MouseEvent can be used to set focus on file input and selectively capture keystrokes, which can be used to upload arbitrary files
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 405299
People
(Reporter: gfleischer+bugzilla, Unassigned)
Details
(Keywords: verified1.8.1.12, Whiteboard: [sg:dupe 405299])
Attachments
(1 file)
|
9.73 KB,
application/zip
|
Details |
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
By creating a "MouseEvent" and using dispatchEvent to send a "click" to a file input element or a label associated with the file, the focus can be set on the text portion of the file input. This can be used to selectively capture keystrokes and construct a path that can be used to upload arbitrary files from a user's computer.
By sending the click as an event, the focus restrictions in bug #370092 can be bypassed.
An alternate approach is to use the observation in bug #404391 and send click to an additional input element nested inside of the label.
Reproducible: Always
User agents tested:
- Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
- Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
- Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.12pre) Gecko/20071211 BonEcho/2.0.0.12pre
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12pre) Gecko/20071211 BonEcho/2.0.0.12pre
|
Reporter | |
Comment 1•17 years ago
|
||
Attached test-case and file stealing demo.
|
|
Reporter | |
Comment 2•17 years ago
|
||
The attachment contains a test case (simple-click.html) and file stealing demo
(plausible.html + upload.cgi).
The simple-click.html file demonstrates how any of the elements in the grey box
(label, file input and text input) can be sent a "click" mouse event. Any
keystrokes entered in the textarea will be transfered to the file input text
field. No attempt is made to filter key strokes.
The plausible.html file demonstrates how an actual attack could be constructed.
The layout presented is similar to many blog comment sections. All of the
fields are hooked so any keystroke that is entered can be used. Once the
desired file is matched, the form would be automatically submitted.
The two files in the demo are "/etc/hosts" on Linux and Mac OS X and
"c:\boot.ini" on Windows. Using a special set of captchas, any well known file
could be targeted. For instance, an attack under Windows could include the
'c', ':', and '\' characters. Multiple failures could be generated to capture
the necessary keystrokes by refreshing the image via XMLHttpRequest. Some
potential well known targets on Linux or Mac OS X would be "/etc/passwd" or
"~/.gnupg/secring.gpg".
The demo is standalone by default, but the 'upload.cgi' Perl CGI script can be used to actually submit the file.
|
||
Comment 3•17 years ago
|
||
Gregory, thanks for the bug report, but this turns out to be already reported, bug 405299.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
|
||
Comment 4•17 years ago
|
||
making this "block" 1.8.1.12 so this bug stays in our queries for verification that it really is the same thing.
Flags: blocking1.8.1.12+
Whiteboard: [sg:dupe 405299]
|
|
||
Updated•17 years ago
|
Flags: wanted1.8.1.x+
|
|
||
Updated•17 years ago
|
Keywords: fixed1.8.1.12
|
||
Comment 5•17 years ago
|
||
I've checked this in Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12) Gecko/2008012822 Firefox/2.0.0.12. It no longer shows the matching (in green highlighting) for '/etc/hosts'. Based on the other demos from this same series of issues, I believe that means that the problem is fixed. Can you confirm that this is a correct assumption, Gregory (or Dan)?
|
|
Reporter | |
Comment 6•17 years ago
|
||
Yes, that is a mostly correct assumption.
This bug had a different root cause (ability to programmatically send click events to set focus) which was fixed in bug 405299.
The mechanism by which this bug was exploited (selectively canceling keystrokes) was fixed in bug 413135.
In either case, this bug has been fixed. I tested this with Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.12pre) Gecko/20080130 BonEcho/2.0.0.12pre.
|
|
||
Comment 7•17 years ago
|
||
Ok, thanks Gregory!
Marking verified1.8.1.12 then.
Keywords: fixed1.8.1.12 → verified1.8.1.12
|
|
||
Updated•17 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•