Re: internet explorer local file reading

From: Andreas Sandblad (sandblad@acc.umu.se)
Date: 02/03/03

Next message: Peter Huang: "To diversify and survive: the application of population biology concept into computer"

Previous message: jelmer: "internet explorer local file reading"
In reply to: jelmer: "internet explorer local file reading"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 3 Feb 2003 20:10:51 +0100 (CET)
From: Andreas Sandblad <sandblad@acc.umu.se>
To: jelmer <jelmer@kuperus.xs4all.nl>

Nice Jelmer.

First of all, I can confirm it on Win2000 pro, IE 6 SP1.

This is not the first time we have seen user interaction
problems with the upload control. Maybe you remember:
"Pressing CTRL in IE is dangerous"
http://online.securityfocus.com/archive/1/283866
(Taking advantage of pasting. SHIFT also works because SHIFT-INSERT =
CTRL-V)

Btw, we only need to know the relative path. For example we can use:
"..\\Cookies\\index.dat" instead of "c:\\jelmer.txt"

/Andreas Sandblad

On Mon, 3 Feb 2003, jelmer wrote:

> We allready knew pressing the back button on IE is dangerous
> (http://online.securityfocus.com/archive/1/267561) So it wont come as a
> total shock
> that so is clicking a link :)
> The problem lies in the dragdrop method that was added as a method on
> nearly all HTML elements in ie5.5 This method makes any element act like its
> being dragged.
>
> It is possible to abuse this behaviour to drop text in a html upload control
> thus
> allowing you to read any file from an unsuspecting users harddisk. In order
> for it to
> be succesfull the name of the file must be known
>
> basicly drag and dropping text takes a couple of steps
>
> - select text
> - press mouse
> - move mouse over over an element that can accept it
> - release mouse.
>
> It is possible to mimic all the above steps but the pressing of the button
> by using
> javascript
>
> a demo is provided at
>
> http://kuperus.xs4all.nl/security/ie/xfiles.htm
>
> it isn't very elegant but seems to work most of the time (ie acts a little
> flakey at times),
> there are probably better ways to do it if you know of any let me know ;)
>
>
> it was tested on ie 6 sp1 + all patches
>
> Microsoft was notified a couple of days back, haven't recieved anything back
> yet
>
> If you want to protect yourself against this disable active scripting
>
>
> references:
>
> http://webreference.com/programming/javascript/dragdropie/3.html
> http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/dragdrop.a
> sp
>

-- 
    _     _
  o' \,=./ `o
     (o o)
-ooO--(_)--Ooo-

Next message: Peter Huang: "To diversify and survive: the application of population biology concept into computer"
Previous message: jelmer: "internet explorer local file reading"
In reply to: jelmer: "internet explorer local file reading"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]