Re: IE - reading local files

From: jelmer (jelmerat_private)
Date: Mon Mar 24 2003 - 08:28:45 PST

Next message: EnGarde Secure Linux: "[Full-Disclosure] [ESA-20030324-012] 'MySQL' root exploit."

Previous message: Piotr Chytla: "3com RAS 1500 Remote vulnerabilities."
In reply to: Adam [ckkl]: "IE - reading local files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>> I don't know if anybody pointed it out before... 

yes i did, see http://msgs.securepoint.com/cgi-bin/get/bugtraq0302/12.html


----- Original Message ----- 
From: "Adam [ckkl]" <ckklat_private>
To: <bugtraqat_private>
Sent: Sunday, March 23, 2003 3:10 AM
Subject: IE - reading local files


> Hello,
> 
> I don't know if anybody pointed it out before...
> 
> While playing with IE [6.0] I found out that 
> it is possible to read local files with a little
> help of user...
> 
> How it works?
> 1. IE lets you define style for the INPUT type=file tag
>     including clipping region what makes possible to 
>     hide the "Browse..." button.
> 
> 2. IE lets you handle 3 events
>     - ondragstart
>     - ondrag
>     - ondragend
>    for misc  tags like DIV, INPUT, IMG and others
> 
> 3. IE lets you change the content of the INPUT after
>    the user started to drag it
> 
> Screenplay:
> - user selects text in source INPUT
> - user starts to drag text
> - ondragstart event is fired
> - the function takes control
>   and changes the content
>   of the source INPUT
> - user drops the text in
>   the uploading INPUT control
> - ondragend event is fired
> - function takes control and 
>   submits the form at once
> 
> Exploit:
>     - create the INPUT uploading control (type=file)
>     - change its style to make it look innocent
>       [remove border, clip the 'Browse...'button]
>     - create the source INPUT control and make it 
>       look like an innocent text [no borders, no focus]
>     - write a simple handler for drag* events
>       - it will change the content of the source INPUT 
>        control to anything we want, f.ex.local filename
>     - seduce user (f.ex. some kind of drag&drop 
>       JavaScript game) to select text and drag it 
>       into uploading control area and when
>       it's done (ondragend), submit the form and this 
>       way send the file to the server
> 
> Proof of concept:
> http://www.sztolnia.pl/hack/dragquIEn/dragquIEn.html
> 
> Best Regards
> Adam Blaszczyk
> reverser, coder, writer & researcher  [VX/AV]
> http://www.symantec.com (Localization Engineer)
> http://www.mykakee.com (Home page)
> Whatever I say in this e-mail is my private opinion.
>

Next message: EnGarde Secure Linux: "[Full-Disclosure] [ESA-20030324-012] 'MySQL' root exploit."
Previous message: Piotr Chytla: "3com RAS 1500 Remote vulnerabilities."
In reply to: Adam [ckkl]: "IE - reading local files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 24 2003 - 08:56:37 PST