Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: javascript file upload entry SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
javascript file upload entry
A full disclosure post today had an exploit that used javascript in browsers to selectively "steal" keystrokes from the user typing and channeling it into the file upload field.  So as long as you type enough they could make you as well type the filename they were after.

While this attack needs more to become a bit effective (like making the user type the needed letters), it does show the dangers of running javascript once again. Your best choice if you use e.g. FireFox is to use something like Noscript. It allows you to turn javascript off by default and turn it on as needed for selected sites (those where the webmaster doesn't care for users not wanting to expose themselves to randomly downloaded executable content)

Aparently both Firefox and MSIE suffer from this.

Swa Frantzen - Section66


760 Posts
Jun 6th 2006

Sign Up for Free or Log In to start participating in the conversation!