Your system may not meet the requirements for Firefox, but you can try one of these versions:

Your system doesn't meet the requirements to run Firefox.

Your system doesn't meet the requirements to run Firefox.

Please follow these instructions to install Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2006-23

File stealing by changing input type

Announced
April 13, 2006
Reporter
Claus Jörgensen
Impact
High
Products
Firefox, Mozilla Suite, SeaMonkey
Fixed in
  • Firefox 1.0.8
  • Firefox 1.5.0.2
  • Mozilla Suite 1.7.13
  • SeaMonkey 1.0.1

Description

Claus Jörgensen reports that a text input box can be pre-filled with a filename and then turned into a file-upload control with the contents intact, allowing a malicious website the ability to steal any local file whose name they can guess.

Jesse Ruderman reports a variation, changing the type of the input control in an event handler to work around some of the initial checks.

Workaround

Upgrade to fixed version.

References