Closed
Bug 411073
Opened 17 years ago
Closed 17 years ago
File upload input focus stealing: if click event is canceled on label with tabindex, focus is set on file text entry field
Categories
(Core :: Security, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: gfleischer+bugzilla, Assigned: smaug)
References
()
Details
(Keywords: verified1.8.1.12, Whiteboard: [sg:moderate] 1.8-branch)
Attachments
(3 files)
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
If a label element associated with a file input element has a "tabindex" attribute, click events can be canceled and focus is set on the file text entry field.
Once the focus is set on the file element, any entered keystrokes can be selectively captured and potentially used to upload arbitrary files from the user.
Reproducible: Always
Tested with user agents:
- Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11)
Gecko/20071127 Firefox/2.0.0.11
- Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127
Firefox/2.0.0.11
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127
Firefox/2.0.0.11
- Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.12pre)
Gecko/20080106 BonEcho/2.0.0.12pre
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12pre)
Gecko/20080106 BonEcho/2.0.0.12pre
|
Reporter | |
Comment 1•17 years ago
|
||
|
|
Reporter | |
Comment 2•17 years ago
|
||
The file-label-click-cancel-stealing.html file demonstrates how an actual attack could be constructed. On Mac OS X and Linux, "/etc/hosts" is targeted and on Windows, "c:\boot.ini". The JavaScript and image files are required for the demo to function properly.
The demo is standalone by default, but the included 'upload.cgi' Perl CGI
script can be used to capture the submitted the file.
|
||
Updated•17 years ago
|
Assignee: nobody → dveditz
Flags: blocking1.8.1.12?
Product: Firefox → Core
QA Contact: firefox → toolkit
|
|
||
Updated•17 years ago
|
Whiteboard: [sg:moderate]
|
||
Updated•17 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9?
Flags: blocking1.8.1.12?
Flags: blocking1.8.1.12+
|
||
Updated•17 years ago
|
Whiteboard: [sg:moderate] → [sg:moderate] 1.8-branch
|
|
||
Updated•17 years ago
|
Assignee: dveditz → Olli.Pettay
|
|
||
Updated•17 years ago
|
Attachment #295718 -
Attachment mime type: application/zip → application/java-archive
|
|
||
Comment 3•17 years ago
|
||
The fix in bug 413135 makes this attack ineffective on branch; trunk not affected.
Status: NEW → RESOLVED
Closed: 17 years ago
Keywords: fixed1.8.1.12
Resolution: --- → FIXED
Version: unspecified → 1.8 Branch
|
|
Reporter | |
Comment 4•17 years ago
|
||
Updated the example attack to use the disabled property to selectively cancel keystrokes.
This bypasses the fix for bug 413135 in attachment 298006 [details] [diff] [review].
|
||
Comment 5•17 years ago
|
||
Yes, this is not fixed in branch. I ran all three demos test cases in Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12) Gecko/2008012822 Firefox/2.0.0.12 and was able to reproduce the bug without difficulty.
|
|
||
Comment 6•17 years ago
|
||
My bad. The test cause is counterintuitive.
Olli and I just conferred and this is fixed. Re-resolving and verifying.
Status: REOPENED → RESOLVED
Closed: 17 years ago → 17 years ago
Keywords: fixed1.8.1.12
Resolution: --- → FIXED
|
|
||
Updated•17 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Updated•17 years ago
|
Keywords: fixed1.8.1.12 → verified1.8.1.12
|
|
||
Updated•16 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•