Full Disclosure mailing list archives
Re: Firefox focus stealing vulnerability (possibly other browsers)
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Mon, 12 Feb 2007 21:53:47 +0100 (CET)
On Mon, 12 Feb 2007, [ISO-8859-1] Claus Färber wrote:
A proper solution would be to keep a list of files explicitly selected by the user and only allow uploads of files in this list. Then even if a script can manipulate the field, the browser won't upload files that have not been selected by the user.
Not necessarily that easy: notice that it is the user who enters the name of a target file. Unless you want to prevent the browser from accepting any files that were not chosen using a visual file selector widget - but in such a case, there's not much point in having a manual file path entry box in the first place. /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Firefox focus stealing vulnerability (possibly other browsers), (continued)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) pdp (architect) (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) pdp (architect) (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) pdp (architect) (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) pdp (architect) (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Ben Bucksch (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Paul Szabo (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Message not available
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 12)
- Re: Firefox focus stealing vulnerability (possibly other browsers) pdp (architect) (Feb 12)
- Re: Firefox/MSIE focus stealing vulnerability - clarification Marcello Barnaba (Feb 12)
- Re: Firefox/MSIE focus stealing vulnerability - clarification Ruud H.G. van Tol (Feb 12)
- Re: Firefox/MSIE focus stealing vulnerability - clarification Tyop? (Feb 12)
- Re: Firefox/MSIE focus stealing vulnerability - clarification Marcello Barnaba (Feb 12)