Nice Jelmer. First of all, I can confirm it on Win2000 pro, IE 6 SP1. This is not the first time we have seen user interaction problems with the upload control. Maybe you remember: "Pressing CTRL in IE is dangerous" http://online.securityfocus.com/archive/1/283866 (Taking advantage of pasting. SHIFT also works because SHIFT-INSERT = CTRL-V) Btw, we only need to know the relative path. For example we can use: "..\\Cookies\\index.dat" instead of "c:\\jelmer.txt" /Andreas Sandblad On Mon, 3 Feb 2003, jelmer wrote: > We allready knew pressing the back button on IE is dangerous > (http://online.securityfocus.com/archive/1/267561) So it wont come as a > total shock > that so is clicking a link :) > The problem lies in the dragdrop method that was added as a method on > nearly all HTML elements in ie5.5 This method makes any element act like its > being dragged. > > It is possible to abuse this behaviour to drop text in a html upload control > thus > allowing you to read any file from an unsuspecting users harddisk. In order > for it to > be succesfull the name of the file must be known > > basicly drag and dropping text takes a couple of steps > > - select text > - press mouse > - move mouse over over an element that can accept it > - release mouse. > > It is possible to mimic all the above steps but the pressing of the button > by using > javascript > > a demo is provided at > > http://kuperus.xs4all.nl/security/ie/xfiles.htm > > it isn't very elegant but seems to work most of the time (ie acts a little > flakey at times), > there are probably better ways to do it if you know of any let me know ;) > > > it was tested on ie 6 sp1 + all patches > > Microsoft was notified a couple of days back, haven't recieved anything back > yet > > If you want to protect yourself against this disable active scripting > > > references: > > http://webreference.com/programming/javascript/dragdropie/3.html > http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/dragdrop.a > sp > -- _ _ o' \,=./ `o (o o) -ooO--(_)--Ooo-
