Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE and Firefox Share a Vulnerability

Posted by kdawson on from the upload-with-daring-and-whimsy dept.

hcmtnbiker writes with news of a logic flaw shared by IE 7 and Firefox 2.0. IE 5.01, IE 6, and Firefox 1.5.0.9 are also affected. The flaw was discovered by Michal Zalewski, and is easily demonstrated on IE7 and Firefox. The vulnerability is not platform-specific, but these demonstrations are — they work only on Windows systems. (Microsoft says that IE7 on Vista is not vulnerable.) From the vulnerability description: "In all modern browsers, form fields (used to upload user-specified files to a remote server) enjoy some added protection meant to prevent scripts from arbitrarily choosing local files to be sent, and automatically submitting the form without user knowledge. For example, '.value' parameter cannot be set or changed, and any changes to .type reset the contents of the field... [in this attack] the keyboard input in unrelated locations can be selectively geared toward input fields by the attacker."

4 of 207 comments (clear)

  1. Offtopic by KeepQuiet · · Score: 1, Offtopic

    Am I the only one who kinda freaks out every time he sees this 'bug' picture? Can't slashdot have a cuter bug image?

    1. Re:Offtopic by Dachannien · · Score: 0, Offtopic

      I suggest a picture of Vincent D'Onofrio:

      http://poly.chromatic.net/blog/wp-content/_films_0 2_mib_opti_donofrio.jpg

  2. Offtopic rant by n0rr1s · · Score: 0, Offtopic

    Sorry to go offtopic, but this is a pet peeve.

    I abhor the use of the word "enjoy" in the media and by marketing people in particular. Form fields may *have* protection; they do not *enjoy* protection because they aren't fucking conscious. And nobody enjoys, say, the protection of car insurance. I don't sit at home feeling all warm and fuzzy because I've just taken out some policy.

    Seeing this in tech news just shows how much this has spread. I no longer want to use the word enjoy at all because every time I hear it, I am reminded of this usage and feel a twinge of annoyance.

    I want my English language back from these idiots! In addition to enjoy, the following words also need to be reclaimed:
    now (as in "call this number *now*")
    sensational

    I can't think of more off the top of my head at this time in the morning. There are loads. Feel free to add your own.

  3. Re:Doesn't work with Firefox 2.0.0.1 on Windows XP by Adambomb · · Score: 0, Offtopic

    Also, there is no need to type all that jibberish about cheese. Just slowly type in: +++ OUT OF CHEESE ERROR +++ REDO FROM START +++
    --
    Ice Cream has no bones.