First of all, I can confirm it on Win2000 pro, IE 6 SP1.
This is not the first time we have seen user interaction
problems with the upload control. Maybe you remember:
"Pressing CTRL in IE is dangerous"
http://online.securityfocus.com/archive/1/283866
(Taking advantage of pasting. SHIFT also works because SHIFT-INSERT =
CTRL-V)
Btw, we only need to know the relative path. For example we can use:
"..\\Cookies\\index.dat" instead of "c:\\jelmer.txt"
/Andreas Sandblad
On Mon, 3 Feb 2003, jelmer wrote:
> We allready knew pressing the back button on IE is dangerous
> (http://online.securityfocus.com/archive/1/267561) So it wont come as a
> total shock
> that so is clicking a link :)
> The problem lies in the dragdrop method that was added as a method on
> nearly all HTML elements in ie5.5 This method makes any element act like its
> being dragged.
>
> It is possible to abuse this behaviour to drop text in a html upload control
> thus
> allowing you to read any file from an unsuspecting users harddisk. In order
> for it to
> be succesfull the name of the file must be known
>
> basicly drag and dropping text takes a couple of steps
>
> - select text
> - press mouse
> - move mouse over over an element that can accept it
> - release mouse.
>
> It is possible to mimic all the above steps but the pressing of the button
> by using
> javascript
>
> a demo is provided at
>
> http://kuperus.xs4all.nl/security/ie/xfiles.htm
>
> it isn't very elegant but seems to work most of the time (ie acts a little
> flakey at times),
> there are probably better ways to do it if you know of any let me know ;)
>
>
> it was tested on ie 6 sp1 + all patches
>
> Microsoft was notified a couple of days back, haven't recieved anything back
> yet
>
> If you want to protect yourself against this disable active scripting
>
>
> references:
>
> http://webreference.com/programming/javascript/dragdropie/3.html
> http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/dragdr
op.a
> sp
>
First of all, I can confirm it on Win2000 pro, IE 6 SP1.
This is not the first time we have seen user interaction
problems with the upload control. Maybe you remember:
"Pressing CTRL in IE is dangerous"
http://online.securityfocus.com/archive/1/283866
(Taking advantage of pasting. SHIFT also works because SHIFT-INSERT =
CTRL-V)
Btw, we only need to know the relative path. For example we can use:
"..\\Cookies\\index.dat" instead of "c:\\jelmer.txt"
/Andreas Sandblad
On Mon, 3 Feb 2003, jelmer wrote:
> We allready knew pressing the back button on IE is dangerous
> (http://online.securityfocus.com/archive/1/267561) So it wont come as a
> total shock
> that so is clicking a link :)
> The problem lies in the dragdrop method that was added as a method on
> nearly all HTML elements in ie5.5 This method makes any element act like its
> being dragged.
>
> It is possible to abuse this behaviour to drop text in a html upload control
> thus
> allowing you to read any file from an unsuspecting users harddisk. In order
> for it to
> be succesfull the name of the file must be known
>
> basicly drag and dropping text takes a couple of steps
>
> - select text
> - press mouse
> - move mouse over over an element that can accept it
> - release mouse.
>
> It is possible to mimic all the above steps but the pressing of the button
> by using
> javascript
>
> a demo is provided at
>
> http://kuperus.xs4all.nl/security/ie/xfiles.htm
>
> it isn't very elegant but seems to work most of the time (ie acts a little
> flakey at times),
> there are probably better ways to do it if you know of any let me know ;)
>
>
> it was tested on ie 6 sp1 + all patches
>
> Microsoft was notified a couple of days back, haven't recieved anything back
> yet
>
> If you want to protect yourself against this disable active scripting
>
>
> references:
>
> http://webreference.com/programming/javascript/dragdropie/3.html
> http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/dragdr
op.a
> sp
>
--
_ _
o' \,=./ `o
(o o)
-ooO--(_)--Ooo-
[ reply ]