On the 11th in a posting to the Full Disclosure mailing list security researcher Michal Zalewski highlighted an interesting proof-of-concept exploit to read arbitrary files from a victim's system via Firefox and Internet Explorer. 

With some user interaction, an attacker can redirect the focus of key-press events triggered by the user and make them point to a hidden file-upload form field. By fooling the user to compose the desired filename, the attacker can upload arbitrary files. It should be noted that the file-upload form fields (INPUT TYPE=FILE) are normally protected to avoid cases like the automatic uploading of local files using scripts. However since 'onKeyDown' and 'onKeyPress' events allow scripts to redirect the focus, this protection can be bypassed with substantial user interaction.

Proof-of-concept exploits for IE and Firefox have been released and confirmed to exploit the weakness successfully. In the same discussion thread another technique to redirect the keystroke input from the address bar of IE was highlighted, thus making the social-engineering attempt to get the filename considerably less suspicious in IE.

Since this attack requires substantial user interaction, it can be considered 'low' risk. The issue has been acknowledged by the FireFox development team and they plan to release a fix. It is however very unlikely that a fix will make it into Microsoft’s patch run which is due tomorrow.

You can read more about the flaw in the Full Disclosure posting here in our mailing list archive. 

Add this page to your favorite Social Bookmarking websites