Multiple Vendor Web Browser JavaScript Key Filtering Vulnerability

Discussion in 'Computer Security' started by imhotep, Jun 7, 2006.

  1. imhotep

    imhotep Guest

    Affects: IE, Firefox, etc

    Multiple Vendor Web Browser JavaScript Key Filtering Vulnerability

    "Multiple web browser products are susceptible to a JavaScript key-filtering
    vulnerability. This issue is due to the failure of the browsers to securely
    handle keystroke input from users.

    This issue is demonstrated to allow attackers to divert keystrokes from one
    input form in a webpage to a hidden file upload dialog in the same page.
    This may allow remote attackers to initiate file uploads from unsuspecting
    users. Other attacks may also be possible.

    Exploiting this issue requires that users manually type the full path of
    files that attackers wish to download. This may require substantial typing
    from targeted users, so keyboard-based games, blogs, or other similar pages
    are likely to be utilized by attackers to entice users to enter the
    required keyboard input to exploit this issue.

    Mozilla Suite, Mozilla Firefox, Mozilla SeaMonkey, Netscape Navigator, and
    Microsoft Internet Explorer are all reportedly vulnerable to this issue."


    http://www.securityfocus.com/bid/18308/discuss


    -- Imhotep
     
    imhotep, Jun 7, 2006
    #1
    1. Advertising

  2. imhotep wrote:

    > This issue is demonstrated to allow attackers to divert keystrokes from one
    > input form in a webpage to a hidden file upload dialog in the same page.
    > This may allow remote attackers to initiate file uploads from unsuspecting
    > users. Other attacks may also be possible.


    Where exactly is the vulnerability? It's the same as entering the data
    into an invisible form. It's purely PEBKAC.

    > Exploiting this issue requires that users manually type the full path of
    > files that attackers wish to download. This may require substantial typing
    > from targeted users, so keyboard-based games, blogs, or other similar pages
    > are likely to be utilized by attackers to entice users to enter the
    > required keyboard input to exploit this issue.


    What about keystroke sniffing across frames and domains? For IE this is
    actually told to be a feature, like any other phishing support. Now this
    is a serious problem because one can spoof the address bar on IE as well
    and you'll get the SSL lock for free.

    <script>
    var keylog='Capturing: ';
    document.onkeypress = function () {
    k = window.event.keyCode;
    window.status = keylog += String.fromCharCode(k) + '[' + k +']';}
    </script>
    <frameset onLoad="this.focus();" onBlur="this.focus();" cols="100%,*">
    <frame src="https://www.paypal.com" scrolling="auto">
    </frameset>

    BTW, [X] Tell news!
     
    Sebastian Gottschalk, Jun 7, 2006
    #2
    1. Advertising

  3. imhotep

    imhotep Guest

    Sebastian Gottschalk wrote:

    > imhotep wrote:
    >
    >> This issue is demonstrated to allow attackers to divert keystrokes from
    >> one input form in a webpage to a hidden file upload dialog in the same
    >> page. This may allow remote attackers to initiate file uploads from
    >> unsuspecting users. Other attacks may also be possible.

    >
    > Where exactly is the vulnerability? It's the same as entering the data
    > into an invisible form. It's purely PEBKAC.


    PEBKAC????

    >> Exploiting this issue requires that users manually type the full path of
    >> files that attackers wish to download. This may require substantial
    >> typing from targeted users, so keyboard-based games, blogs, or other
    >> similar pages are likely to be utilized by attackers to entice users to
    >> enter the required keyboard input to exploit this issue.

    >
    > What about keystroke sniffing across frames and domains? For IE this is
    > actually told to be a feature, like any other phishing support. Now this
    > is a serious problem because one can spoof the address bar on IE as well
    > and you'll get the SSL lock for free.


    hummmm "feature" eh? Go figures...

    > <script>
    > var keylog='Capturing: ';
    > document.onkeypress = function () {
    > k = window.event.keyCode;
    > window.status = keylog += String.fromCharCode(k) + '[' + k +']';}
    > </script>
    > <frameset onLoad="this.focus();" onBlur="this.focus();" cols="100%,*">
    > <frame src="https://www.paypal.com" scrolling="auto">
    > </frameset>
    >
    > BTW, [X] Tell news!



    Imhotep
     
    imhotep, Jun 7, 2006
    #3
  4. imhotep wrote:

    >> Where exactly is the vulnerability? It's the same as entering the data
    >> into an invisible form. It's purely PEBKAC.

    >
    > PEBKAC????


    Problem exists between keyboard and chair.

    >> What about keystroke sniffing across frames and domains? For IE this is
    >> actually told to be a feature, like any other phishing support. Now this
    >> is a serious problem because one can spoof the address bar on IE as well
    >> and you'll get the SSL lock for free.

    >
    > hummmm "feature" eh? Go figures...


    Don't tell me, tell Microsoft. Keystroke sniffing has been reported a
    year ago or so. Same goes for all other phishing stuff IE is open for,
    like putting a DIV layer over a frame loaded with a website from another
    domain.
     
    Sebastian Gottschalk, Jun 7, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Albert Grennock

    Javascript/browser? very slow on my computer!!

    Albert Grennock, Sep 20, 2005, in forum: Firefox
    Replies:
    12
    Views:
    8,814
    Franc Zabkar
    Sep 22, 2005
  2. =?Utf-8?B?QmlsbFM=?=

    MAC Filtering on Multiple Access Points

    =?Utf-8?B?QmlsbFM=?=, Feb 3, 2006, in forum: Wireless Networking
    Replies:
    2
    Views:
    1,120
    =?Utf-8?B?QmlsbFM=?=
    Feb 4, 2006
  3. Imhotep
    Replies:
    6
    Views:
    597
    Imhotep
    Dec 21, 2005
  4. Shane

    To Javascript, or not to Javascript

    Shane, Aug 29, 2005, in forum: NZ Computing
    Replies:
    5
    Views:
    473
    Waylon Kenning
    Aug 30, 2005
  5. srivatsahg
    Replies:
    0
    Views:
    1,372
    srivatsahg
    Mar 2, 2009
Loading...

Share This Page