Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE and Firefox Share a Vulnerability

Posted by kdawson on from the upload-with-daring-and-whimsy dept.

hcmtnbiker writes with news of a logic flaw shared by IE 7 and Firefox 2.0. IE 5.01, IE 6, and Firefox 1.5.0.9 are also affected. The flaw was discovered by Michal Zalewski, and is easily demonstrated on IE7 and Firefox. The vulnerability is not platform-specific, but these demonstrations are — they work only on Windows systems. (Microsoft says that IE7 on Vista is not vulnerable.) From the vulnerability description: "In all modern browsers, form fields (used to upload user-specified files to a remote server) enjoy some added protection meant to prevent scripts from arbitrarily choosing local files to be sent, and automatically submitting the form without user knowledge. For example, '.value' parameter cannot be set or changed, and any changes to .type reset the contents of the field... [in this attack] the keyboard input in unrelated locations can be selectively geared toward input fields by the attacker."

11 of 207 comments (clear)

  1. How it works by Anonymous Coward · · Score: 3, Insightful

    Is the way this works by attaching keydown/keyup events to the document object, and then switching focus to the file upload field in order to let the user fill in the upload? Ingenious :)

    So a browser would fix this by not allowing programmatic access to focus() for file uploads?

    It doesn't sound like this would be particularly exploitable because you'd need them to type the letters in the right order (with other arbitrary letters as padding between this). Getting someone to type something might prove easier though now due to the prevalence of Capchas.

    1. Re:How it works by amrust · · Score: 5, Insightful

      Getting someone to type something might prove easier though now due to the prevalence of Capchas.


      You took the words right out of my keyboard, no pun intended*.

      It won't affect my commenting on blogs or sites that I normally frequent. But after that demo, I admit I probably won't look at captchas the same way again.

      * OK maybe one quick pun.
      --
      VOTE!
    2. Re:How it works by ShieldW0lf · · Score: 2, Insightful

      The reason focus() exists is to allow you to send the cursor to the field that needs correcting when you're doing form validation. It would suck if it wasn't available.

      --
      -1 Uncomfortable Truth
  2. Anyone else try Opera ? by Joebert · · Score: 2, Insightful

    I tried this on
    Windows XP
    As Administrator
    With No 3rd party anti-virus or anti-spyware protection whatsoever (total of 20 processes running including Opera)
    Opera 9.10
    All scripting enabled
    Checked the presense of boot.ini

    And while it did continue to a new page when I typed the phrase, that new page didn't have the contents of my boot.ini file.
    Just a message telling me what that page was about.

    --
    Wanna fight ? Bend over, stick your head up your ass, and fight for air.
  3. They already share a vulnarability... by TEMMiNK · · Score: 2, Insightful

    the user.

    --
    "The stupider people think you are, the more surprised they will be when you kill them..."
  4. Re:IE7 Vista by brainhum · · Score: 5, Insightful

    The latest Web 2.0 Captcha:

    C:\ W IN D O W S\ sys tem 32\config\S AM


    You heard it here first! /.

  5. Re:Awww, that's so cute by mrbluze · · Score: 3, Insightful

    It's certainly romantic, kind of - a bit like a fake pic of Bush and Osama in bed together that was floating around a few years ago.. ewwww!



    Maybe the vulnerability they share is "that they both run in Windows".


    --
    Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
  6. Re:Try as I might... by Anonymous Coward · · Score: 1, Insightful

    Hey dumbass! The summary also says:

    "The vulnerability is not platform-specific, but these demonstrations are -- they work only on Windows systems"

    So he took the demos and tried to re-implement them to work on Linux and he couldn't get them to do so.

  7. Re:Variation on an old bug by slashdot.org · · Score: 1, Insightful

    I'm not sure why this is getting press now, given that a very similar exploit has been known and public since October 2000 (bug 56236)

    erm, maybe because this is a fairly serious bug that still remains unfixed???

  8. Re:Variation on an old bug by Kopretinka · · Score: 2, Insightful

    I'm not sure why this is getting press now, given that a very similar exploit has been known and public since October 2000...
    If it gets press, the fix might finally be released, perhaps?
    --
    Yesterday was the time to do it right. Are we having a REVOLUTION yet?
  9. Re:Nope by TheLink · · Score: 3, Insightful

    Someone using the exploit can only grab any file on your filesystem that the user account your browser runs as has permissions to read, which may be significantly restricted (I found that hard to do on Linux in the old days, but I guess nowadays it should be easier with better filesystem ACLs).

    If you use the same user account for work, ssh and browsing then you risk exposing stuff like:

    ~/.ssh/id_dsa
    ~/.ssh/id_rsa

    Which in some cases might be more interesting than /etc/fstab ;).

    --