Mozilla Foundation Security Advisory 2006-23

File stealing by changing input type

Announced

April 13, 2006

Reporter

Claus Jörgensen

Impact

High

Products

Firefox, Mozilla Suite, SeaMonkey

Fixed in

Firefox 1.0.8
Firefox 1.5.0.2
Mozilla Suite 1.7.13
SeaMonkey 1.0.1

Description

Claus Jörgensen reports that a text input box can be pre-filled with a filename and then turned into a file-upload control with the contents intact, allowing a malicious website the ability to steal any local file whose name they can guess.

Jesse Ruderman reports a variation, changing the type of the input control in an event handler to work around some of the initial checks.

Workaround

Upgrade to fixed version.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=325947
https://bugzilla.mozilla.org/show_bug.cgi?id=328566
CVE-2006-1729

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice