file upload security problem

Check this out (but only if you trust me):

demo (source)

It relies on a bug in some browsers, where the “type” of an input box can be changed into “file” without clearing the value of the input.

Fixed in the latest version of Firefox (1.5.0.4). Couldn’t test IE, as it sucks and couldn’t handle the JavaScript.

Tried this out on the lucky denizens of #linux (irc:irc.linux.ie), and was immediately rewarded with some exclamations of surprise that I’d gotten through their defenses.

Script works in Konqueror (tested 3.5.2) and Safari (1.3.2). Causes a strange rendering problem in Opera.

For those of you that are concerned that I know “ownz” your computer – /etc/passwd is safe. Passwords are stored in /etc/shadow. Anyway, I don’t store any of the files you’ve unwittingly uploaded.

2 Replies to “file upload security problem”

  1. I tried the demo in FF 1.5.0.3 in Ubuntu. The text box displayed /etc/passwd first but when it was converted to a file upload box the text disappeared. When I hit the submit button Gnome’s file requester appeared to browse for a file.
    Strange?

  2. there is no submit button 😉 that was the “browse…” button. we know then that the fix for Firefox was installed before 1.5.0.4 then

Comments are closed.