Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE and Firefox Share a Vulnerability

Posted by kdawson on from the upload-with-daring-and-whimsy dept.

hcmtnbiker writes with news of a logic flaw shared by IE 7 and Firefox 2.0. IE 5.01, IE 6, and Firefox 1.5.0.9 are also affected. The flaw was discovered by Michal Zalewski, and is easily demonstrated on IE7 and Firefox. The vulnerability is not platform-specific, but these demonstrations are — they work only on Windows systems. (Microsoft says that IE7 on Vista is not vulnerable.) From the vulnerability description: "In all modern browsers, form fields (used to upload user-specified files to a remote server) enjoy some added protection meant to prevent scripts from arbitrarily choosing local files to be sent, and automatically submitting the form without user knowledge. For example, '.value' parameter cannot be set or changed, and any changes to .type reset the contents of the field... [in this attack] the keyboard input in unrelated locations can be selectively geared toward input fields by the attacker."

9 of 207 comments (clear)

  1. Re:IE7 Vista by holloway · · Score: 2, Interesting

    Is it invulnerable because the file they happened to choose is restricted (c:\boot.ini) or because the browser is now smart enough not to give javascript focus to file upload fields?

    If so then it's still vulnerable because they'll release a patch to stop hackers from uploading user files, like those with predictable filenames. It seems wrong to say that IE+Vista aren't vulnerable when the IE bug still exists.

    (of course if IE7 prevents giving focus to the upload field then I'm wrong -- but I don't think that's the case. The same bug exists in IE7 on Vista)

    --
    -Docvert converts MSWord to OpenDocument, clean HTML
  2. Re:Nope by TheLink · · Score: 4, Interesting

    Well, in theory it's just for fishing a particular file with the filename that you type.

    I'm not too worried about it, because in my office I use Linux and I run WinXP in a virtual machine, in that VM I use a nonadmin account for normal stuff - viewing and priting Word or Excel docs, instant messaging, AND I use the Run As feature to launch browser windows as yet another different nonadmin account. On the Linux host itself, I run firefox as a different user from my main user account.

    So if I gather correctly, you can grab my bookmarks or downloaded files, IF I actually type all the letters to those specific paths? That's it?

    I'd be more worried about Windows graphic driver exploits - graphics drivers seem a bit shoddy- plus they are all about performance, not security. And currently it's basically - Nvidia, ATI and Intel.

    I've had weird things happen with Linux sound though so I wonder about the security of such stuff. I've pretty much given up on getting Linux sound to work properly for sustained periods of time (this on suse 10.0, perhaps I should try 10.2).

    --
  3. Vulnerability doesn't work on Vista (Sort of) by Anonymous Coward · · Score: 2, Interesting

    Vulnerability kinda doesn't work using Firefox 2.0.0.2 and Internet Explorer 7 (Both 32 bit and 64 bit version) on Vista Business Retail.

    I had to create a Boot.ini file in my C: drive since Vista doesn't have it there anymore. IE7 and Firefox will be able to pull information out of the file if you have permissions to read the file but if you don't it won't work. This is probably why some people are reporting it doesn't work in Win XP with a user account. Only admin accounts are affected because the user accounts probably don't have read access for boot.ini.

    This means that the vulnerability won't be able to access any system files but it could potentially access sensitive data you have because you'd obviously have permissions to read those files (i.e. Word documents on your desktop).

    It seems that the person using this exploit would have to know the exact filename and path of the file he wants so this seems like a minor issue. The real risk is with system files because the directory and filenames for those will most likely be the same on most systems but those can't be read and I'm not sure what you'd do with the info anyway...

  4. Try as I might... by oceanstream · · Score: 2, Interesting

    I cannot get this flaw to work in Firefox on Linux. I've gawked and re-written the code several times, created dummy text files that are mode 0666, to no avail. I think it could be exploitable only under the loosest of security profiles. Did I miss something from TFA that makes this windows-specific?

  5. Re:Anyone else try Opera ? by KDR_11k · · Score: 2, Interesting

    When I try that the input field that's supposed to contain the filename just collapses to a 2 pixel wide line and nothing else happens.

    --
    Justice is the sheep getting arrested while an impartial judge declares the vote void.
  6. What about Konqueror? Or Safari? Or Opera? by Phil+Urich · · Score: 3, Interesting
    Is this a case where using a really non-standard browser (well, I mean, Konqueror is standard for KDE but it's not like KDE is a common household word in middle America, heh) leaves one untouched? Or is this potentially a wider implementation problem? I did RTFA, and it is speculated upon. In Michal Zalewski's bug submission:

    Opera is unlikely to be vulnerable to that exact attack, because it is impossible to focus on the file input text field, only on the 'browse' button; other browsers were not tested, but I would expect at least some to be susceptible (naturally, on MacOS X or Linux, test cases have to be modified to access an existing file). However this leaves the question mostly still open (even Opera perhaps, if something related that took into account Opera's different handling of these cases, right? Or am I reading wrong?).
    --
    I remember sigs. Oh, a simpler time!
  7. Re:Nope by Anonymous Coward · · Score: 2, Interesting

    Isn't anyone using Google Mail? Just compose a new mail, and attach a file. Type in the file name, and Gmail will automatically upload it without you submitting anything. The "feature" has been there for ages, so frankly I'm puzzled why all the fuss now and not months ago?

    So now that this is a bug, it makes Gmail an exploit, which makes Google do evil.

    Boycott Google, Hail Microsoft! ..right?

  8. Works on FireFox under Linux by smiggly · · Score: 5, Interesting

    It just takes a few changes. Try this:

    http://www.thanhngan.org/fflinuxversion.html

  9. Re:Flaw is locale-dependent by ESqVIP · · Score: 2, Interesting

    I could be wrong, but I don't think you can really predict the character output of a keydown event, as it happens on a keystroke-level, before important factors (dead keys, shift and caps state, keyboard layout) are analyzed to determine the final character. The appropriate event for that would be keypress, but on my tests it can't be hijacked (maybe there could be some trick). So, you'd need a few initial keystrokes to test which characters they produce, and then attempt to guess the layout being used.