file upload security problem
by kae verens on Jun.02, 2006, under javascript, linux, web development
Check this out (but only if you trust me):
It relies on a bug in some browsers, where the “type” of an input box can be changed into “file” without clearing the value of the input.
Fixed in the latest version of Firefox (1.5.0.4). Couldn’t test IE, as it sucks and couldn’t handle the JavaScript.
Tried this out on the lucky denizens of #linux (irc:irc.linux.ie), and was immediately rewarded with some exclamations of surprise that I’d gotten through their defenses.
Script works in Konqueror (tested 3.5.2) and Safari (1.3.2). Causes a strange rendering problem in Opera.
For those of you that are concerned that I know “ownz” your computer – /etc/passwd is safe. Passwords are stored in /etc/shadow. Anyway, I don’t store any of the files you’ve unwittingly uploaded.
June 2nd, 2006 on 1:38 pm
I tried the demo in FF 1.5.0.3 in Ubuntu. The text box displayed /etc/passwd first but when it was converted to a file upload box the text disappeared. When I hit the submit button Gnome’s file requester appeared to browse for a file.
Strange?
June 2nd, 2006 on 1:43 pm
there is no submit button
that was the “browse…” button. we know then that the fix for Firefox was installed before 1.5.0.4 then