We allready knew pressing the back button on IE is dangerous
(http://online.securityfocus.com/archive/1/267561) So it wont come as a
total shock
that so is clicking a link :)
The problem lies in the dragdrop method that was added as a method on
nearly all HTML elements in ie5.5 This method makes any element act like its
being dragged.
It is possible to abuse this behaviour to drop text in a html upload control
thus
allowing you to read any file from an unsuspecting users harddisk. In order
for it to
be succesfull the name of the file must be known
basicly drag and dropping text takes a couple of steps
- select text
- press mouse
- move mouse over over an element that can accept it
- release mouse.
It is possible to mimic all the above steps but the pressing of the button
by using
javascript
a demo is provided at
http://kuperus.xs4all.nl/security/ie/xfiles.htm
it isn't very elegant but seems to work most of the time (ie acts a little
flakey at times),
there are probably better ways to do it if you know of any let me know ;)
it was tested on ie 6 sp1 + all patches
Microsoft was notified a couple of days back, haven't recieved anything back
yet
If you want to protect yourself against this disable active scripting
(http://online.securityfocus.com/archive/1/267561) So it wont come as a
total shock
that so is clicking a link :)
The problem lies in the dragdrop method that was added as a method on
nearly all HTML elements in ie5.5 This method makes any element act like its
being dragged.
It is possible to abuse this behaviour to drop text in a html upload control
thus
allowing you to read any file from an unsuspecting users harddisk. In order
for it to
be succesfull the name of the file must be known
basicly drag and dropping text takes a couple of steps
- select text
- press mouse
- move mouse over over an element that can accept it
- release mouse.
It is possible to mimic all the above steps but the pressing of the button
by using
javascript
a demo is provided at
http://kuperus.xs4all.nl/security/ie/xfiles.htm
it isn't very elegant but seems to work most of the time (ie acts a little
flakey at times),
there are probably better ways to do it if you know of any let me know ;)
it was tested on ie 6 sp1 + all patches
Microsoft was notified a couple of days back, haven't recieved anything back
yet
If you want to protect yourself against this disable active scripting
references:
http://webreference.com/programming/javascript/dragdropie/3.html
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/dragdr
op.a
sp
[ reply ]