Full source for File field vulnerability

[Billy Nothern <disk_key () HOTMAIL COM>]

I've gotten a lot of mails asking for the full source, so here's a link:

http://attrition.org/security/key/

There are two versions there. One for IE 5 and one for IE 4. It wasn't
mentioned in the Microsoft Advisory that IE 4 could be vulnerable to this
attack, but my tests have shown that it is.

The IE 4 version is basically a hacked-up copy of the IE 5 exploit. I do
things in a different order in the IE 5 version than I do in the IE 4
exploit. For example, focus is kept on the File field, while my script
populates the userInput field with the user's keystrokes.

This vulnerability seems to come from the fact that a script can catch a
user's keystroke and modify it (window.event.keyCode), and the modified key
is sent to the focused window. Bad thing to happen.

Thanks to Attrition for hosting my files!

Goodbye,
key
_____________________________________________________________________________________
Get more from the Web.  FREE MSN Explorer download : http://explorer.msn.com