Bugtraq mailing list archives
Re: internet explorer local file reading
From: Andreas Sandblad <sandblad () acc umu se>
Date: Mon, 3 Feb 2003 20:10:51 +0100 (CET)
Nice Jelmer. First of all, I can confirm it on Win2000 pro, IE 6 SP1. This is not the first time we have seen user interaction problems with the upload control. Maybe you remember: "Pressing CTRL in IE is dangerous" http://online.securityfocus.com/archive/1/283866 (Taking advantage of pasting. SHIFT also works because SHIFT-INSERT = CTRL-V) Btw, we only need to know the relative path. For example we can use: "..\\Cookies\\index.dat" instead of "c:\\jelmer.txt" /Andreas Sandblad On Mon, 3 Feb 2003, jelmer wrote:
We allready knew pressing the back button on IE is dangerous (http://online.securityfocus.com/archive/1/267561) So it wont come as a total shock that so is clicking a link :) The problem lies in the dragdrop method that was added as a method on nearly all HTML elements in ie5.5 This method makes any element act like its being dragged. It is possible to abuse this behaviour to drop text in a html upload control thus allowing you to read any file from an unsuspecting users harddisk. In order for it to be succesfull the name of the file must be known basicly drag and dropping text takes a couple of steps - select text - press mouse - move mouse over over an element that can accept it - release mouse. It is possible to mimic all the above steps but the pressing of the button by using javascript a demo is provided at http://kuperus.xs4all.nl/security/ie/xfiles.htm it isn't very elegant but seems to work most of the time (ie acts a little flakey at times), there are probably better ways to do it if you know of any let me know ;) it was tested on ie 6 sp1 + all patches Microsoft was notified a couple of days back, haven't recieved anything back yet If you want to protect yourself against this disable active scripting references: http://webreference.com/programming/javascript/dragdropie/3.html http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/dragdrop.a sp
-- _ _ o' \,=./ `o (o o) -ooO--(_)--Ooo-
Current thread:
- internet explorer local file reading jelmer (Feb 05)
- Re: internet explorer local file reading Andreas Sandblad (Feb 05)