Mozilla Foundation Security Advisory 2006-23

File stealing by changing input type

Announced
April 13, 2006
Reporter
Claus Jörgensen
Impact
High
Products
Firefox, Mozilla Suite, SeaMonkey
Fixed in
  • Firefox 1.0.8
  • Firefox 1.5.0.2
  • Mozilla Suite 1.7.13
  • SeaMonkey 1.0.1

Description

Claus Jörgensen reports that a text input box can be pre-filled with a filename and then turned into a file-upload control with the contents intact, allowing a malicious website the ability to steal any local file whose name they can guess.

Jesse Ruderman reports a variation, changing the type of the input control in an event handler to work around some of the initial checks.

Workaround

Upgrade to fixed version.

References