Closed Bug 411080 Opened 13 years ago Closed 13 years ago

File upload input focus stealing: any "tab" keydown events can be used to set focus in file input element

Categories

(Core :: Security, defect)

defect
Not set
normal

Tracking

()

VERIFIED FIXED

People

(Reporter: gfleischer+bugzilla, Assigned: smaug)

References

()

Details

(Keywords: verified1.8.1.12, Whiteboard: [sg:moderate] 1.8-branch)

Attachments

(3 files)

User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

By examining keydown events for the tab key, focus can be set in the file input text entry field.  When a tab keydown event is detected, the focus is set to another element.  Then, when the keypress event is fired, the browser will interpret the tab key and move the focus.  By specially choosing the element to set the focus on, the tab key will move the focus to file input element.  

For example, if a tab keydown event is detected, the element is chosen such that the next element in the tab cycle is the file input.  

If a shift+tab is detected, a slightly different approach is required.  The element is chosen so the file input precedes it in the tab cycle, but depending on the operating system focus may end up on the file picker button instead.  To compensate, instead of targeting a file input element, a label associated with the file is used instead.  Then when focus is set on the label, it is transfered to the file input element.

Although requiring additional user interaction initially, once the focus is set on the file element, any entered keystrokes can be selectively captured and potentially used to upload arbitrary files from the user.


Reproducible: Always
Once a tab is detected, the example attempts to disable mousedown events and ignore tabs.  Depending on the operating system, this may or may not work.  Use the reset button to reset the form.

Example tested with user agents:

 - Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11)
Gecko/20071127 Firefox/2.0.0.11
- Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127
Firefox/2.0.0.11
 - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127
Firefox/2.0.0.11
- Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.12pre)
Gecko/20080106 BonEcho/2.0.0.12pre
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12pre)
Gecko/20080106 BonEcho/2.0.0.12pre
The tab-hooking-stealing.html file demonstrates how an actual attack could be constructed.  On Mac OS X and Linux, "/etc/hosts" is targeted and on Windows, "c:\boot.ini".  The JavaScript and image files are required for the demo to function properly.

The demo is standalone by default, but the included 'upload.cgi' Perl CGI
script can be used to capture the submitted the file.
Assignee: nobody → dveditz
Flags: blocking1.8.1.12?
Product: Firefox → Core
QA Contact: firefox → toolkit
Whiteboard: [sg:moderate]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8.1.12? → blocking1.8.1.12+
Whiteboard: [sg:moderate] → [sg:moderate] 1.8-branch
Attachment #295721 - Attachment mime type: application/zip → application/java-archive
On all of these it's easier to tell the difference of when you're really focused in a form field and when the real focus is in the hidden file upload control if you set the pref "browser.display.use_focus_colors" to true. You can also use Firebug, DOMI or other tools to bring the file upload control back onto the page.
Assignee: dveditz → Olli.Pettay
Flags: wanted1.8.1.x+
Depends on: 413135
The fix in bug 413135 makes this attack ineffective on branch; trunk not affected.
Status: NEW → RESOLVED
Closed: 13 years ago
Keywords: fixed1.8.1.12
Resolution: --- → FIXED
Updated the example attack to use the disabled property to selectively cancel keystrokes.

This bypasses the fix for bug 413135 in attachment 298006 [details] [diff] [review].
I have verified that with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US;
rv:1.8.1.12) Gecko/2008012822 Firefox/2.0.0.12, the updated attack from Gregory
still exploits the browser.

As noted in one of the related bugs, the demo should be updated to take keyboard tabbing into account. It works otherwise though.
Status: RESOLVED → REOPENED
Keywords: fixed1.8.1.12
Resolution: FIXED → ---
My bad. The test cause is counterintuitive. 

Olli and I just conferred and this is fixed. Re-resolving and verifying.
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Keywords: fixed1.8.1.12
Resolution: --- → FIXED
That is, the test case. *sigh*
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.