Closed Bug 411077 Opened 13 years ago Closed 13 years ago

File upload input focus stealing: by setting font size larger than page, any user mouse click will set focus in file element

Categories

(Core :: Security, defect)

1.8 Branch
defect
Not set
normal

Tracking

()

VERIFIED FIXED

People

(Reporter: gfleischer+bugzilla, Assigned: smaug)

References

()

Details

(Keywords: verified1.8.1.12, Whiteboard: [sg:moderate] 1.8-branch)

Attachments

(3 files)

User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

By setting the font size of the file input element larger than the page, the text entry portion will cover the entire visible page.  Any user mouse click on the page will set the focus in the file input text entry field.

Once the focus is set on the file element, any entered keystrokes can be
selectively captured and potentially used to upload arbitrary files from the
user.



Reproducible: Always




Tested with user agents:

 - Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11)
Gecko/20071127 Firefox/2.0.0.11
- Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127
Firefox/2.0.0.11
 - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127
Firefox/2.0.0.11
- Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.12pre)
Gecko/20080106 BonEcho/2.0.0.12pre
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12pre)
Gecko/20080106 BonEcho/2.0.0.12pre
Clicking anywhere in the example set the focus in the file input text field.
The file-font-size-stealing.html file demonstrates how an actual attack could be constructed.  On Mac OS X and Linux, "/etc/hosts" is targeted and on Windows, "c:\boot.ini".  The JavaScript and image files are required for the demo to function properly.

The demo is standalone by default, but the included 'upload.cgi' Perl CGI
script can be used to capture the submitted the file.
Assignee: nobody → dveditz
Flags: blocking1.8.1.12?
Product: Firefox → Core
QA Contact: firefox → toolkit
Whiteboard: [sg:moderate]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9?
Flags: blocking1.8.1.12?
Flags: blocking1.8.1.12+
Whiteboard: [sg:moderate] → [sg:moderate] 1.8-branch
Attachment #295720 - Attachment mime type: application/zip → application/java-archive
Assignee: dveditz → Olli.Pettay
Flags: blocking1.9? → wanted1.8.1.x+
Version: unspecified → 1.8 Branch
Depends on: 413135
The fix in bug 413135 makes this attack ineffective on branch; trunk not affected.
Status: NEW → RESOLVED
Closed: 13 years ago
Keywords: fixed1.8.1.12
Resolution: --- → FIXED
Updated the example attack to use the disabled property to selectively cancel keystrokes.

This bypasses the fix for bug 413135 in attachment 298006 [details] [diff] [review].
I have verified that with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12) Gecko/2008012822 Firefox/2.0.0.12, the updated attack from Gregory still exploits the browser.

I did note that if I tabbed around the fields, the exploit, as written here, doesn't seem to capture input and you never get the alert.
Status: RESOLVED → REOPENED
Keywords: fixed1.8.1.12
Resolution: FIXED → ---
My bad. The test cause is counterintuitive. 

Olli and I just conferred and this is fixed. Re-resolving and verifying.
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Keywords: fixed1.8.1.12
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.