Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE and Firefox Share a Vulnerability

Posted by kdawson on from the upload-with-daring-and-whimsy dept.

hcmtnbiker writes with news of a logic flaw shared by IE 7 and Firefox 2.0. IE 5.01, IE 6, and Firefox 1.5.0.9 are also affected. The flaw was discovered by Michal Zalewski, and is easily demonstrated on IE7 and Firefox. The vulnerability is not platform-specific, but these demonstrations are — they work only on Windows systems. (Microsoft says that IE7 on Vista is not vulnerable.) From the vulnerability description: "In all modern browsers, form fields (used to upload user-specified files to a remote server) enjoy some added protection meant to prevent scripts from arbitrarily choosing local files to be sent, and automatically submitting the form without user knowledge. For example, '.value' parameter cannot be set or changed, and any changes to .type reset the contents of the field... [in this attack] the keyboard input in unrelated locations can be selectively geared toward input fields by the attacker."

16 of 207 comments (clear)

  1. Awww, that's so cute by varmint+jerky · · Score: 5, Funny

    Next thing you know they'll be coquettishly batting eyelashes at each other and accidently eating the same strand of spaghetti.

    1. Re:Awww, that's so cute by mrbluze · · Score: 3, Insightful

      It's certainly romantic, kind of - a bit like a fake pic of Bush and Osama in bed together that was floating around a few years ago.. ewwww!



      Maybe the vulnerability they share is "that they both run in Windows".


      --
      Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
  2. Nope by The+Bungi · · Score: 3, Informative

    Not Firefox 1.5x under a non-admin account on XPSP2, though I admit that setup, while sane, is unfortunately not really common...

    1. Re:Nope by TheLink · · Score: 4, Interesting

      Well, in theory it's just for fishing a particular file with the filename that you type.

      I'm not too worried about it, because in my office I use Linux and I run WinXP in a virtual machine, in that VM I use a nonadmin account for normal stuff - viewing and priting Word or Excel docs, instant messaging, AND I use the Run As feature to launch browser windows as yet another different nonadmin account. On the Linux host itself, I run firefox as a different user from my main user account.

      So if I gather correctly, you can grab my bookmarks or downloaded files, IF I actually type all the letters to those specific paths? That's it?

      I'd be more worried about Windows graphic driver exploits - graphics drivers seem a bit shoddy- plus they are all about performance, not security. And currently it's basically - Nvidia, ATI and Intel.

      I've had weird things happen with Linux sound though so I wonder about the security of such stuff. I've pretty much given up on getting Linux sound to work properly for sustained periods of time (this on suse 10.0, perhaps I should try 10.2).

      --
    2. Re:Nope by TheLink · · Score: 3, Insightful

      Someone using the exploit can only grab any file on your filesystem that the user account your browser runs as has permissions to read, which may be significantly restricted (I found that hard to do on Linux in the old days, but I guess nowadays it should be easier with better filesystem ACLs).

      If you use the same user account for work, ssh and browsing then you risk exposing stuff like:

      ~/.ssh/id_dsa
      ~/.ssh/id_rsa

      Which in some cases might be more interesting than /etc/fstab ;).

      --
  3. How it works by Anonymous Coward · · Score: 3, Insightful

    Is the way this works by attaching keydown/keyup events to the document object, and then switching focus to the file upload field in order to let the user fill in the upload? Ingenious :)

    So a browser would fix this by not allowing programmatic access to focus() for file uploads?

    It doesn't sound like this would be particularly exploitable because you'd need them to type the letters in the right order (with other arbitrary letters as padding between this). Getting someone to type something might prove easier though now due to the prevalence of Capchas.

    1. Re:How it works by amrust · · Score: 5, Insightful

      Getting someone to type something might prove easier though now due to the prevalence of Capchas.


      You took the words right out of my keyboard, no pun intended*.

      It won't affect my commenting on blogs or sites that I normally frequent. But after that demo, I admit I probably won't look at captchas the same way again.

      * OK maybe one quick pun.
      --
      VOTE!
  4. Doesn't work with Firefox 2.0.0.1 on Windows XP by Anonymous Coward · · Score: 4, Informative

    I tried with a limited user account, but of course boot.ini can only be read by administrators. Then I tried with an administrator user, and still boot.ini wasn't shown. Fud?

    Also, there is no need to type all that jibberish about cheese. Just slowly type in:

    C:\boot.ini

    Type it too quick, and the javascript in the background won't be able to keep up with the rate of keystrokes you enter.

  5. Requires javascript by pedrop357 · · Score: 3, Informative

    I use Noscript to block javascript. The exploit didn't work until I allowed javascript for that site.

    New/unknown sites won't be able to do this, but my previously "trusted" ones will.

  6. Re:IE7 Vista by evilgrug · · Score: 5, Informative

    It didn't protect IE on Vista for me. I created a dummy boot.ini and IE7 Vista happily spat it out.

  7. Re:IE7 Vista by brainhum · · Score: 5, Insightful

    The latest Web 2.0 Captcha:

    C:\ W IN D O W S\ sys tem 32\config\S AM


    You heard it here first! /.

  8. Variation on an old bug by jesser · · Score: 4, Informative

    I'm not sure why this is getting press now, given that a very similar exploit has been known and public since October 2000 (bug 56236). It was even fixed on trunk in September 2005, but left unfixed on branch intentionally because we weren't confident we had the UI right.

    Zalewski's version is bug 370092, and he was unhappy when I marked it as a duplicate of bug 56236.

    --
    The shareholder is always right.
  9. What about Konqueror? Or Safari? Or Opera? by Phil+Urich · · Score: 3, Interesting
    Is this a case where using a really non-standard browser (well, I mean, Konqueror is standard for KDE but it's not like KDE is a common household word in middle America, heh) leaves one untouched? Or is this potentially a wider implementation problem? I did RTFA, and it is speculated upon. In Michal Zalewski's bug submission:

    Opera is unlikely to be vulnerable to that exact attack, because it is impossible to focus on the file input text field, only on the 'browse' button; other browsers were not tested, but I would expect at least some to be susceptible (naturally, on MacOS X or Linux, test cases have to be modified to access an existing file). However this leaves the question mostly still open (even Opera perhaps, if something related that took into account Opera's different handling of these cases, right? Or am I reading wrong?).
    --
    I remember sigs. Oh, a simpler time!
  10. Re:Try as I might... by nmb3000 · · Score: 3, Informative

    Did I miss something from TFA that makes this windows-specific?

    I think the presence of a C:\ might help.

    --
    "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
    /)
  11. Re:Offtopic rant by julesh · · Score: 4, Informative
    I abhor the use of the word "enjoy" in the media and by marketing people in particular. Form fields may *have* protection; they do not *enjoy* protection because they aren't fucking conscious. And nobody enjoys, say, the protection of car insurance. I don't sit at home feeling all warm and fuzzy because I've just taken out some policy.

    Seeing this in tech news just shows how much this has spread. I no longer want to use the word enjoy at all because every time I hear it, I am reminded of this usage and feel a twinge of annoyance.

    I want my English language back from these idiots!

    Online Etymology Dictionary
    enjoy
    c.1380, [...] Sense of "have the use or benefit of" first recorded c.1430. [...]

    Online Etymology Dictionary, © 2001 Douglas Harper (Link)


    You'll have to go a long way back to claim this one.
  12. Works on FireFox under Linux by smiggly · · Score: 5, Interesting

    It just takes a few changes. Try this:

    http://www.thanhngan.org/fflinuxversion.html