IE - reading local files

["Adam [ckkl]" <ckkl () poczta wp pl>]

Hello,

I don't know if anybody pointed it out before...

While playing with IE [6.0] I found out that 
it is possible to read local files with a little
help of user...

How it works?
1. IE lets you define style for the INPUT type=file tag
    including clipping region what makes possible to 
    hide the "Browse..." button.

2. IE lets you handle 3 events
    - ondragstart
    - ondrag
    - ondragend
   for misc  tags like DIV, INPUT, IMG and others

3. IE lets you change the content of the INPUT after
   the user started to drag it

Screenplay:
- user selects text in source INPUT
- user starts to drag text
- ondragstart event is fired
- the function takes control
  and changes the content
  of the source INPUT
- user drops the text in
  the uploading INPUT control
- ondragend event is fired
- function takes control and 
  submits the form at once

Exploit:
    - create the INPUT uploading control (type=file)
    - change its style to make it look innocent
      [remove border, clip the 'Browse...'button]
    - create the source INPUT control and make it 
      look like an innocent text [no borders, no focus]
    - write a simple handler for drag* events
      - it will change the content of the source INPUT 
       control to anything we want, f.ex.local filename
    - seduce user (f.ex. some kind of drag&drop 
      JavaScript game) to select text and drag it 
      into uploading control area and when
      it's done (ondragend), submit the form and this 
      way send the file to the server

Proof of concept:
http://www.sztolnia.pl/hack/dragquIEn/dragquIEn.html

Best Regards
Adam Blaszczyk
reverser, coder, writer & researcher  [VX/AV]
http://www.symantec.com (Localization Engineer)
http://www.mykakee.com (Home page)
Whatever I say in this e-mail is my private opinion.