Linked by Thom Holwerda on Tue 27th Feb 2007 16:40 UTC, submitted by flanque
Privacy, Security, Encryption Internet Explorer 7 and Firefox 2.0 share a logic flaw. The issue is actually more severe, as the two versions of the Microsoft and Mozilla browsers are not the only ones affected. In this regard, the vulnerability impacts Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 7 but also Firefox 1.5.0.9. Microsoft has stressed the fact that IE7 on Windows Vista is not affected in any manner.
Order by: Score:
v This is news?
by Almafeta on Tue 27th Feb 2007 18:03 UTC
RE: This is news?
by Tanner on Tue 27th Feb 2007 18:37 UTC in reply to "This is news?"
Tanner Member since:
2005-07-06

Is this FUD?

So for you Firefox is a reverse engineered version of IE...

Don't you know that HTML is a markup language universally known, so you can make yourself your personal rendering engine for html pages.. Would it be a reverse-engineered version of MS Internet Explorer? ....

....

-__- my god.

Reply Score: 1

RE[2]: This is news?
by Nico57 on Tue 27th Feb 2007 21:15 UTC in reply to "RE: This is news?"
Nico57 Member since:
2006-12-18

Don't think that's the way he meant it.
Try it again changing IE for Firefox and vice versa. ;)

Reply Score: 1

Didn't work
by NxStY on Tue 27th Feb 2007 18:05 UTC
NxStY
Member since:
2005-11-12

I tried the demonstration at:
http://lcamtuf.coredump.cx/focusbug/ffversion.html

And nothing happened. This is Firefox 2.0.0.2 on XP. Perhaps the demonstration is buggy.

Reply Score: 2

RE: Didn't work
by pandronic on Tue 27th Feb 2007 18:54 UTC in reply to "Didn't work"
pandronic Member since:
2006-05-18

It worked here.

Firefox 2.0.0.2, WinXP SP2, running with admin user.

Reply Score: 1

RE[2]: Didn't work
by cg0def on Tue 27th Feb 2007 22:49 UTC in reply to "RE: Didn't work"
cg0def Member since:
2006-02-12

hey dude, I am running XP SP2 with all the latest patches applied and Firefox 2.0.2 and this exploit NO LONGER WORKS. So next time get your story straight and then post.

Reply Score: 0

RE[3]: Didn't work
by umccullough on Wed 28th Feb 2007 00:35 UTC in reply to "RE[2]: Didn't work"
umccullough Member since:
2006-01-26

I am running XP SP2 with all the latest patches applied and Firefox 2.0.2 and this exploit NO LONGER WORKS

Same here, and it works fine. Damn, must suck when you can't even get a perfectly working exploit to work ;)

Reply Score: 4

RE[4]: Didn't work
by smitty on Wed 28th Feb 2007 01:05 UTC in reply to "RE[3]: Didn't work"
smitty Member since:
2005-10-13

Just to reiterate, yes it does work with Firefox 2.0.0.2 and XP SP2.

Reply Score: 2

RE[3]: Didn't work
by Snifflez on Wed 28th Feb 2007 20:01 UTC in reply to "RE[2]: Didn't work"
Snifflez Member since:
2005-11-15

Are you logged as an admin or a user with 'read' rights to C:boot.ini ?

Reply Score: 1

mostly a Javascript issue
by umccullough on Tue 27th Feb 2007 18:50 UTC
umccullough
Member since:
2006-01-26

So, it appears that using Javascript, the page is redirecting select input from the user to the file input box - and then uploading the file to the server once complete.

This doesn't really surprise me - but I wouldn't have thought of it ;)

So, mitigating factors appear to be: Have an exploitable browser, have a C:boot.ini (although any file could be used for this), have administrative priveleges (so that accessing boot.ini is possible for the browser in the first place) and have Javascript enabled.

For the record, it does work on my system... but I have to type very slowly as it's shifting focus around and has a hard time keeping up.

Edited 2007-02-27 18:51

Reply Score: 4

linux?
by Dekkard on Tue 27th Feb 2007 20:36 UTC
Dekkard
Member since:
2006-01-07

how does the test work in linux? my boot drive is hdb1, incidentally i like penguins?

Reply Score: 0

Hah.
by deathshadow on Tue 27th Feb 2007 21:18 UTC
deathshadow
Member since:
2005-07-12

The example won't work on my machine, since my boot.ini is on F: ;)

Worth noting it doesn't work in Opera either.

It's an interesting example - the javascript engines in both IE and FF only allow the most recent keypresses to be added to a file input... I think the example is a bit more complex than it needs to be - I'm gonna have to play with this. It should be possible to simply use the return state and CSS layering to do this a LOT simpler than how this example is working.

Reply Score: 1

MS said it doesn't work on Vista...
by Nico57 on Tue 27th Feb 2007 21:18 UTC
Nico57
Member since:
2006-12-18

Yeah, sure, since Vista doesn't have a boot.ini it's not affected. ;)

Reply Score: 1

umccullough Member since:
2006-01-26

Good point - in fact I believe I read that this problem exists on Firefox on Linux as well - allowing the upload of a file that the user has access to (i.e. /etc/passwd if the user is root) - would be interesting to see the same exploit written for that scenario ;)

update: oh, someone did
http://www.thanhngan.org/fflinuxversion.html

Edited 2007-02-27 21:30

Reply Score: 2

dylansmrjones Member since:
2005-10-02

Doesn't work too well. One has to write very very slowly for the example to work. But it does illustrate it, though.

Reply Score: 2

deathshadow Member since:
2005-07-12

>> Yeah, sure, since Vista doesn't have a boot.ini
>> it's not affected. ;)

The example doesn't work - the technique itself DOES. Theoretically you could pull any file, so long as you were able to get the user to type in ALL the characters in the filename in the order you want them... Which is why embedding this into a blog, forums or any other large text entry box could be a easy way to gather information...

The above paragraph for example, could (in theory) be used to pull info.txt from the current default browser upload directory (notice the bits in italic)

Would be interesting to see if it could be exploited by making it look like some kind of captcha.

Edited 2007-02-28 01:49

Reply Score: 0

Nico57 Member since:
2006-12-18

:D <- This is a smiley, Mr. "I know better" Deathshadow. It's supposed to express a humorous meaning. Since Vista not having a boot.ini is no fun at all, there must be a catch... ;)

Reply Score: 1

Ubuntu
by lawina on Wed 28th Feb 2007 02:50 UTC
lawina
Member since:
2006-01-20

Running Ubuntu Edgy with Firefox 2.0.0.2 and it does not work.

Reply Score: 1

Konqueror
by moltonel on Wed 28th Feb 2007 23:10 UTC
moltonel
Member since:
2006-02-24

By default, Konqueror asks the user for confirmation when sending a local file. Simple and effective, whatever tricks the webpage may use to set the input to a malicious value.

Reply Score: 2

RE: Konqueror
by umccullough on Thu 1st Mar 2007 03:22 UTC in reply to "Konqueror"
umccullough Member since:
2006-01-26

Konqueror asks the user for confirmation when sending a local file

And I would hope this is exactly what will be done with Firefox. That feature along with whitelisting support should be sufficient, and I mean jeez - how often do people upload to a website. Usually one uses just a few such sites regularly (email, photo sharing...)

Not sure about IE, Microsoft has a habit of doing stupid things to "fix" exploits.

Reply Score: 2

NoScript
by Wintermute on Wed 28th Feb 2007 23:33 UTC
Wintermute
Member since:
2005-07-30

Everyone should just use NoScript on Firefox. Makes things so much easier, vast majority of the new exploits don't work without javascript.

NoScript is pretty good at managing javascript permissions.

Reply Score: 1