[17982] in bugtraq
Full source for File field vulnerability
daemon@ATHENA.MIT.EDU (Billy Nothern)
Sun Dec 10 17:07:45 2000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-Id: <F293Z7nsFBC8GEWuLya00013335@hotmail.com>
Date: Fri, 8 Dec 2000 16:30:35 -0000
Reply-To: Billy Nothern <disk_key@HOTMAIL.COM>
From: Billy Nothern <disk_key@HOTMAIL.COM>
X-To: win2ksecadvice@listserv.ntsecurity.net,
MS-SecNews@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
I've gotten a lot of mails asking for the full source, so here's a link:
http://attrition.org/security/key/
There are two versions there. One for IE 5 and one for IE 4. It wasn't
mentioned in the Microsoft Advisory that IE 4 could be vulnerable to this
attack, but my tests have shown that it is.
The IE 4 version is basically a hacked-up copy of the IE 5 exploit. I do
things in a different order in the IE 5 version than I do in the IE 4
exploit. For example, focus is kept on the File field, while my script
populates the userInput field with the user's keystrokes.
This vulnerability seems to come from the fact that a script can catch a
user's keystroke and modify it (window.event.keyCode), and the modified key
is sent to the focused window. Bad thing to happen.
Thanks to Attrition for hosting my files!
Goodbye,
key
_____________________________________________________________________________________
Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com
