Mozilla Foundation Security Advisory 2006-23
File stealing by changing input type
- Announced
- April 13, 2006
- Reporter
- Claus Jörgensen
- Impact
- High
- Products
- Firefox, Mozilla Suite, SeaMonkey
- Fixed in
-
- Firefox 1.0.8
- Firefox 1.5.0.2
- Mozilla Suite 1.7.13
- SeaMonkey 1.0.1
Description
Claus Jörgensen reports that a text input box can be pre-filled with a filename and then turned into a file-upload control with the contents intact, allowing a malicious website the ability to steal any local file whose name they can guess.
Jesse Ruderman reports a variation, changing the type of the input control in an event handler to work around some of the initial checks.
Workaround
Upgrade to fixed version.