Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: javascript file upload entry - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
javascript file upload entry
A full disclosure post today had an exploit that used javascript in browsers to selectively "steal" keystrokes from the user typing and channeling it into the file upload field.  So as long as you type enough they could make you as well type the filename they were after.

While this attack needs more to become a bit effective (like making the user type the needed letters), it does show the dangers of running javascript once again. Your best choice if you use e.g. FireFox is to use something like Noscript. It allows you to turn javascript off by default and turn it on as needed for selected sites (those where the webmaster doesn't care for users not wanting to expose themselves to randomly downloaded executable content)

Aparently both Firefox and MSIE suffer from this.

--
Swa Frantzen - Section66


Swa

760 Posts

Sign Up for Free or Log In to start participating in the conversation!