We allready knew pressing the back button on IE is dangerous (http://online.securityfocus.com/archive/1/267561) So it wont come as a total shock that so is clicking a link :) The problem lies in the dragdrop method that was added as a method on nearly all HTML elements in ie5.5 This method makes any element act like its being dragged. It is possible to abuse this behaviour to drop text in a html upload control thus allowing you to read any file from an unsuspecting users harddisk. In order for it to be succesfull the name of the file must be known basicly drag and dropping text takes a couple of steps - select text - press mouse - move mouse over over an element that can accept it - release mouse. It is possible to mimic all the above steps but the pressing of the button by using javascript a demo is provided at http://kuperus.xs4all.nl/security/ie/xfiles.htm it isn't very elegant but seems to work most of the time (ie acts a little flakey at times), there are probably better ways to do it if you know of any let me know ;) it was tested on ie 6 sp1 + all patches Microsoft was notified a couple of days back, haven't recieved anything back yet If you want to protect yourself against this disable active scripting references: http://webreference.com/programming/javascript/dragdropie/3.html http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/dragdrop.a sp
