Computer Security
[EN] securityvulns.ru no-pyccku


Microsoft Internet Explorer / Mozilla Firefox user input hijacking
Published:12.02.2007
Source:
SecurityVulns ID:7214
Type:client
Threat Level:
5/10
Description:It's possible to hijack input focus by using OnKeyDown / OnKeyPress events.
Affected:MICROSOFT : Windows 2000 Server
 MICROSOFT : Windows 2000 Professional
 MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MOZILLA : Firefox 2.0
 MICROSOFT : Windows Vista
CVE:CVE-2006-2894 (Mozilla Firefox 1.5.0.4, Mozilla Suite 1.7.13, Mozilla SeaMonkey 1.0.2, and Netscape 8.1 and earlier allows user-assisted remote attackers to read arbitrary files by tricking a user into typing the characters of the target filename in a text box and using the OnKeyDown, OnKeyPress, and OnKeyUp Javascript keystroke events to change the focus and cause those characters to be inserted into a file upload input control, which can then upload the file when the user submits the form.)
Original documentdocumentMichal Zalewski, [Full-disclosure] Firefox/MSIE focus stealing vulnerability - clarification (12.02.2007)
 documentMichal Zalewski, [Full-disclosure] Firefox focus stealing vulnerability (possibly other browsers) (12.02.2007)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod