Re: New flaw found in Firefox 2.0.0.4: Firefox file input focus vulnerabilities

[Michal Zalewski <lcamtuf () dione ids pl>]

On Sat, 30 Jun 2007, Joseph Hick wrote:

> This doesn't seem like a security flaw to me.

This is somewhat similar to my focus stealing bugs described here:

  http://lcamtuf.coredump.cx/focusbug/

...though seems to work on patched Firefox because of a clever use of
label-based aliasing.

Now, the vulnerability For security reasons, value of file input field
cannot be specified in HTML or set scriptually (otherwise, you could then
just do submit() and have a file uploaded without user's consent) - and we
want it to stay that way.

Still, file input field can be hidden off-screen and the victim might be
not aware of its presence or contents. Now, if a malicious web page can
selectively redirect certain keystrokes to a hidden field of this type,
while giving the user an impression he's actually typing a web forum post,
playing a game, performing a search, or whatnot, with a visible feedback
elsewhere on the webpage - we're in trouble: once a desired file name is
collected, the script can have the form submitted, complete with victim's
file of attacker's liking.

Non-trivial user interaction is required, of course, but it's not terribly
difficult to solicit some.

Cheers,
/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/