In association with heise online

27 February 2007, 12:34

Security vulnerability using file upload form and JavaScript [update]

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Developers of a number of browsers have failed properly to fix a known vulnerability, with which an attacker could upload files to the internet using JavaScript and file upload form fields. Michal Zalewski has published demonstrations on the internet, which include a demonstration of a new attack on Internet Explorer 7. In order to exploit the vulnerability, however, the user is required to offer considerable assistance.

The vulnerability arises because webpages can use JavaScript to copy keystrokes into file upload fields, by, for example, switching the focus between entry fields in forms between onKeyDown and onKeyPressed events. File upload form fields enjoy extra protection so that scripts can't automatically select files and send them to the internet - however this protection can be circumvented.

In Firefox, the vulnerability has been known about for about seven years. The initial discussion on the Bugzilla system concerned whether Zalewski's discovery represented a new bug or whether it was the old bug. It turned out to be the old vulnerability. Microsoft's Internet Explorer also contains the bug, which has, however, been fixed in IE7. Nevertheless, Zalewski has found a new way of diverting keystrokes in IE7 to send files to the internet.

The vulnerability is not actually too critical, as the user must enter specific characters, which have to be filtered to a webpage using JavaScript. However, a malicious website could cause users to enter the required sequence of characters by, for example, using comment functions. In tests carried out by heise Security, the demonstration worked immediately with Internet Explorer 7, but only on Firefox when used with an English language keyboard. Acccording to Zalewski, the reason for this is that the "Firefox exploit depends on interpreting raw keycodes, and was designed for a standard US QWERTY keyboard (MSIE7 does not depend on keycode data - it reads actual ASCII codes of keys instead)."

In Opera, also according to Zalewski, JavaScript is not permitted to set the focus to file upload fields, for which reason Opera is not vulnerable to this attack.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit