Adam [ckkl]
24/03/03, 17:20
Hello,
I don't know if anybody pointed it out before...
While playing with IE [6.0] I found out that
it is possible to read local files with a little
help of user...
How it works?
1. IE lets you define style for the INPUT type=file tag
including clipping region what makes possible to
hide the "Browse..." button.
2. IE lets you handle 3 events
- ondragstart
- ondrag
- ondragend
for misc tags like DIV, INPUT, IMG and others
3. IE lets you change the content of the INPUT after
the user started to drag it
Screenplay:
- user selects text in source INPUT
- user starts to drag text
- ondragstart event is fired
- the function takes control
and changes the content
of the source INPUT
- user drops the text in
the uploading INPUT control
- ondragend event is fired
- function takes control and
submits the form at once
Exploit:
- create the INPUT uploading control (type=file)
- change its style to make it look innocent
[remove border, clip the 'Browse...'button]
- create the source INPUT control and make it
look like an innocent text [no borders, no focus]
- write a simple handler for drag* events
- it will change the content of the source INPUT
control to anything we want, f.ex.local filename
- seduce user (f.ex. some kind of drag&drop
JavaScript game) to select text and drag it
into uploading control area and when
it's done (ondragend), submit the form and this
way send the file to the server
Proof of concept:
http://www.sztolnia.pl/hack/dragquIEn/dragquIEn.html
Best Regards
Adam Blaszczyk
reverser, coder, writer & researcher [VX/AV]
http://www.symantec.com (Localization Engineer)
http://www.mykakee.com (Home page)
Whatever I say in this e-mail is my private opinion.
I don't know if anybody pointed it out before...
While playing with IE [6.0] I found out that
it is possible to read local files with a little
help of user...
How it works?
1. IE lets you define style for the INPUT type=file tag
including clipping region what makes possible to
hide the "Browse..." button.
2. IE lets you handle 3 events
- ondragstart
- ondrag
- ondragend
for misc tags like DIV, INPUT, IMG and others
3. IE lets you change the content of the INPUT after
the user started to drag it
Screenplay:
- user selects text in source INPUT
- user starts to drag text
- ondragstart event is fired
- the function takes control
and changes the content
of the source INPUT
- user drops the text in
the uploading INPUT control
- ondragend event is fired
- function takes control and
submits the form at once
Exploit:
- create the INPUT uploading control (type=file)
- change its style to make it look innocent
[remove border, clip the 'Browse...'button]
- create the source INPUT control and make it
look like an innocent text [no borders, no focus]
- write a simple handler for drag* events
- it will change the content of the source INPUT
control to anything we want, f.ex.local filename
- seduce user (f.ex. some kind of drag&drop
JavaScript game) to select text and drag it
into uploading control area and when
it's done (ondragend), submit the form and this
way send the file to the server
Proof of concept:
http://www.sztolnia.pl/hack/dragquIEn/dragquIEn.html
Best Regards
Adam Blaszczyk
reverser, coder, writer & researcher [VX/AV]
http://www.symantec.com (Localization Engineer)
http://www.mykakee.com (Home page)
Whatever I say in this e-mail is my private opinion.