What is Digg?Sponsored by Activision
Introducing DJ Hero Game view!
djhero.com - Scratch and mix 102 songs in 93 original mixes from today's hottest artists. Available Now.
135 Comments
- senfo, on 10/12/2007, -6/+48"Exploiting this issue requires that users manually type the full path of files that attackers wish to download"
haha, yeah right. People can be dumb, no doubt, but if you're THAT dumb, you probably won't know where to find the file, anyhow. - lordthor, on 10/12/2007, -17/+48The race is on! Who will come out with a fix first!?
In the one corner, we have the always fast, always sexy, always red and flaming FIREFOX!
And in the other corner..... eye ee.
All on FF to win. - CornStarch, on 10/12/2007, -12/+39Fire fox has a fix for this, it's called no script: https://addons.mozilla.org/firefox/722/
It has a bit of a curve, but it's almost seamless when you get it up and running. - dWhisper, on 10/12/2007, -1/+27Technically, wouldn't this be a JavaScript flaw, which then propogates down to the various browsers?
- arof, on 10/12/2007, -5/+27@rastorbater
if(Javascript != Java)
{
boolean yourCommentsValidity = false;
} - SniperX, on 10/12/2007, -7/+28Wow, it really bugs me when these supposedly reputable security companies come out with a sensationalist outcry about something so obvious and that should cause little to no concern.
It's Javascript, it can see what key you pushed if that page has focus. We have known about this for a decade, guess what? Flash can do it too, when will we see a "breakthrough" security release about this? Maybe, like Cputerace said, next time they get into hot water over a vulnerability that they have.
(which I might add, was also obvious) - armbar, on 10/12/2007, -5/+22@saska
Opera's not based on Mozilla--it's been built from the ground up independently, since 1994 or so. - thetanbark, on 10/12/2007, -7/+23Firefox extension NoScript will prevent JavaScript from running on all pages you don't already allow it on. This should be one of those features built into the app already:
http://www.noscript.net/whats - rolosworld, on 10/12/2007, -5/+20this doesn't sound like a bug... sounds more like a design issue...
- Bogtha, on 10/12/2007, -5/+18That's pretty misleading. You don't have to type, e.g., "C://w.exe" in order for this to be a problem, you just have to type any string that has those characters in, in that order. So the phrase "Come on, go to http://www.example.com/" can be used to derive the path "C://w.exe".
- Bogtha, on 10/12/2007, -2/+14> It isn't even a flaw
Of course it is. The security for the file upload form control is hinged on the fact that the only person that can select a file to upload is the user. This flaw allows a website to trick the user into selecting a particular file even though they don't even know the file upload form control exists.
> How exactly do you 'fix' something like this without basically disabling whole chunks of functionality of JS that are being used by many valid applications?
This is a flaw specific to the handling of file upload form controls. Three obvious fixes spring to my mind:
* Don't allow event handlers to prevent the default behaviour for file upload form controls, or
* Don't allow event handlers to be attached to file upload form controls at all, or
* Don't allow event handlers to set focus to file upload form controls.
None of these fixes "disable whole chunks of functionality", in fact I can't think of a valid reason for wanting to do any of those three actions. - tagnarth, on 10/12/2007, -0/+11Please oh Please people do not blow this way out of proportion.. I can imagine in the next few hours this going to be everywhere. This thing is so low critical it's not funny. First you have to be going to a non-reputable site in the first place, then you have to be typing in characters that are contained in the file that they want. We are not going to see some mass explosion of exploits. More than likely our lovely friends the phishers will just encorporate this into their crappy rip off sites.
I'm sure we'll see this fixed in the next FF release. How fast that comes depends on how bad the media blow this out of proportion. - stmiller, on 10/12/2007, -4/+15Why comment the parent down? This is a great extension.
- Bogtha, on 10/12/2007, -10/+21> Why don't they release a fix and then tell people?
Mozilla.org have known about this for six years. How much longer is he supposed to wait for them to fix it? - enkafan, on 10/12/2007, -0/+8For those who say you'd have to be stupid to type in a file name, take for example the CAPTCHA box right below what I'm typing. How hard would it be to set up a fake porn site with a CAPTCHA image with something like c*j:9bkorot.iUn$i. Then all you'd have to do is redirect the c:boot.ini portion (or whatever string you were looking for) of the string to the file upload textbox.
People will type anything to get free porn (or warez) - noahhoward, on 10/12/2007, -4/+12It isn't even a flaw, it is just some jackass looking for new ways to misuse something.
The fix needs to come on the side of users who need to verify that they are typing data into a trusted site. Which is easier said than done.
I don't think this can just be insterted into a sites code, you'd either have to hack and gain access to the file then change it (which isn't a browser vulnerability it is a hack job) or the page would have to be written for that purpose.
I don't agree that the solution should be to disable javascript support. JS is a useful language. Disabling hackers would be fun though, a metal rod across the knuckles and kneecaps works. - gotamd, on 10/12/2007, -2/+9Noscript is excellent at what it does, but it gets annoying having to enable scripts on all the websites I visit. They need some kind of "safe sites" repository that can be updated and synced if the user wishes.
- uberushaximus, on 10/12/2007, -0/+7"Multiple security organizations warned Tuesday that Internet Explorer, Firefox, Mozilla, and SeaMonkey -- on Windows, Linux, and the Mac"
- eklass, on 10/12/2007, -3/+9I agree that this looks more like an exploitation of JavaScript mechanics rather than a browser (or JavaScript) flaw. Hell, look at Secunia's response:
Solution:
Disable JavaScript support. - armbar, on 10/12/2007, -1/+7This is 95% social engineering, 5% browser "flaw". The only thing I would do as a browser manufacturer would be to display a notice that the user is uploading a file, to make sure they know about it. Other than that, this article only describes standard JavaScript functionality.
- Xanin, on 10/12/2007, -4/+10it's "according to Symanetc" lol...
- Cronus6, on 10/12/2007, -1/+7According to what I'm reading Opera (as always) :
"The Secunia database currently contains 0 Secunia advisories marked as "Unpatched", which affects Opera 8.x."
In fact, since December of 2005, I don't think there has been a security advisory for Opera at all.
http://secunia.com/product/4932/ - dWhisper, on 10/12/2007, -3/+8It just seemed like Symantec (which is iffy on some of their practices anyway) was trying to sensationalize or grab attention by calling out the browsers, over the root cause.
- uberushaximus, on 10/12/2007, -2/+7Two things
One being that NoScript has been out for ages, and it's been pointed out that it is a Javascript flaw, and therefore afflicts all browsers that use Javascript - reject, on 10/12/2007, -1/+6Why are people against Opera? Opera is the best browser from a fresh-install standpoint. Firefox's extensions make it the clear overall leader in usability, but Opera is a damn fine browser, who, as pointed out by numerous Diggers, is not as susceptible to flaws. So, if there's some new or older vulnerability in Firefox and IE, use Opera for the pages you don't trust.
You can use the following Firefox extension to view pages in Opera you feel aren't safe:
https://addons.mozilla.org/firefox/1190/
Or, just be smart and, as other users mentioned, use NoScript for Firefox and Maxthon or something for IE.
Just, please, respect Opera. It's the second-best all-around browser compared to Firefox, and, 'out of the box', actually better in a lot of regards. Less memory usage, less vulnerabilities, constant updates (check the desktop team's site for the 9.0 betas), etc. Though it does have its own drawbacks (no richtext copy & paste, some pages look funky, etc.).
Don't hate on others for offering other Diggers an alternative. - boredzo, on 10/12/2007, -2/+7Bogtha: But that implies foreknowledge of the path to be obtained. If you have that, you don't need to obtain the path after all.
- Bogtha, on 10/12/2007, -2/+7@SniperX (and everybody digging his comment),
> It's Javascript, it can see what key you pushed if that page has focus. We have known about this for a decade, guess what? Flash can do it too, when will we see a "breakthrough" security release about this?
This is about uploading files from the user's computer without their knowledge, not listening to keystrokes. I know the article was confusing to read, but try following the link to the bug report, it's a lot clearer. - gahzinia, on 10/12/2007, -1/+6http://secunia.com/advisories/20449/ and http://secunia.com/advisories/20442/ have more information on this.
- The_Decryptor, on 10/12/2007, -3/+7"This is about uploading files from the user's computer without their knowledge"
Yeah, all you have to make them do is type the full path for it.
There is a certain point when human stupidity part surpasses the "this is a flaw" part - ocram, on 10/12/2007, -0/+4"It's the second-best all-around browser compared to Firefox"
That's a matter of opinion. When you have to download half a dozen extensions just to have it equal Opera, I would consider Opera the superior product. Admittedly, there are a couple of extensions that I miss from Firefox, but nothing that would make me consider switching back.
Also, IMO the way tabs are implemented within Opera is the correct way to do so, and Opera just feels like a more solid and mature browser.
However, any browser is better than IE. ;-) - percyhanna, on 10/12/2007, -1/+5It's a DOM implementation issue more than just JavaScript. JavaScript has no knowledge of onKeyDown/onKeyPress/etc. in and of itself...
- inactive, on 10/12/2007, -6/+10Use Opera
http://www.opera.com - JoshuaPDavis, on 10/12/2007, -0/+4Zero-day means that there are exploits in the wild before the flaw is generally known, as opposed to when the flaw is found first.
http://en.wikipedia.org/wiki/Zero_day - mangledspine, on 10/12/2007, -8/+12@saska:
No, Opera is not based on Mozilla. Plain and simple. - lunarship, on 10/12/2007, -1/+5In JavaScript terms, the F12 key comes in handy as well. Best feature in Opera, and one other browsers still haven't emulated. :-)
- Bogtha, on 10/12/2007, -4/+8Copied from my comment attached to the other Digg submission:
That's a pretty awful writeup, I was confused until I read the original email sent to the mailing list.
Basically, it works like this:
* You have a file upload form control and a normal text input form control.
* You guess the filename of a particular file you want on their system.
* You convince the user to type lots of text into the text input form control.
* On each keydown event, switch the focus to the file upload control.
* The file upload control will receive the keypress event, which you can cancel or allow depending on whether you want that character or not.
* The file upload control will then receive the keyup event, which you use to send the focus back to the text input control, making it look like nothing has happened.
It's a relatively hard to exploit bug because you need to get the user to enter all the characters in the path to the file that you want, in that order. What's more interesting is that this is another security hole that Mozilla.org have known about for years and done nothing about until somebody made it public - security through obscurity.
Let me repeat that, Mozilla.org have known about this bug for six years, and have only fixed it because somebody posted it to a full disclosure mailing list. - Bogtha, on 10/12/2007, -1/+4> Either way, it might be safe to assume that you also have access to whatever server side code is executed on the web server which you can gain access to form data even easier with out executing any code on the client.
The issue is not that you can read form data, the issue is that you can trick the browser into uploading files from the user's computer without their knowledge. - gambl0r, on 10/12/2007, -2/+5Exactly. How exactly do you 'fix' something like this without basically disabling whole chunks of functionality of JS that are being used by many valid applications? What we'll end up getting are more security warnings, which just freak out non-pc-savvy users and end up with them disabling JS altogether :(
- inactive, on 10/12/2007, -2/+5It'd be handy if NoScript worked in conjunction with your AdBlock whitelist
- Hydroxyl, on 10/12/2007, -14/+17He's just trying to warn you. Jeez.
It's like this:
"I didn't know there was a fire in that forest until I saw it and ran out."
What he is doing is bascially saying, "Ey, there's a fire, lol!"
Yeah, bad use of metaphors, but you guys get the picture! - arof, on 10/12/2007, -3/+6@gekkokid
It's a code fragment. It's against digg etiquette to place whole Java classes in a comment just for a simple joke. - Bogtha, on 10/12/2007, -0/+3> Mind sharing the bugzilla entry for us?
Sure: https://bugzilla.mozilla.org/show_bug.cgi?id=56236
Bizarrely, somebody said that one of the reasons for not fixing it was because other browsers were vulnerable. - mikechml, on 10/12/2007, -2/+5All versions
- userundefine, on 10/12/2007, -7/+10Wonder who'll patch this quicker...
- willcode4beer, on 10/12/2007, -0/+3However, the attacker will have to know the full path of the file they want. This would seem to limit some of the usefulness, or at least make it more difficult to be useful.
- inactive, on 10/12/2007, -3/+6Any browser that supports Javascript is "affected" because its not a virus or a flaw its just taking advantage of Javascript's innate ability to provide interactive content. I don't really see how this can be "fixed" without disabling or neutering legit scripts or disabling javascript.
- percyhanna, on 10/12/2007, -0/+2The description of the article was definitely quite horrible, even the article itself gave me no actual information on what the flaw was exploiting, it was only once I viewed the code that I understood what the crap was going on.
- percyhanna, on 10/12/2007, -0/+2This is not a *JavaScript* flaw, it's a DOM implementation bug. The problem is that in between the keydown and keyup events, the focus()-ed element has changed, and all of a sudden the file upload input receives the keystroke instead of the original input. AFAIK, Safari does not get this bug because it does not have an input text field for file selection, it ONLY has a popup. Maybe one could simply block the keypress/keyup events on a hidden file upload input?
- dharm, on 10/12/2007, -0/+2actual source for the not so zero-day exploit
also contains POC
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046610.html - Peepsalot, on 10/12/2007, -0/+2The ideal solution seems simple to me. Browsers should not permit the .focus() method to be called on any input of type "FILE".
I can't think of any really good reason to allow the browser to focus on a file upload field. So, after the fix, if the user wants to upload a file, they are gonna have to focus their cursor on the input field all by themselves(a single click). Hardly an inconvenience. -
Show 51 - 100 of 135 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is