We allready knew pressing the back button on IE is dangerous
(http://online.securityfocus.com/archive/1/267561) So it wont come as a
total shock
that so is clicking a link :)
The problem lies in the dragdrop method that was added as a method on
nearly all HTML elements in ie5.5 This method makes any element act like its
being dragged.

It is possible to abuse this behaviour to drop text in a html upload control
thus
allowing you to read any file from an unsuspecting users harddisk. In order
for it to
be succesfull the name of the file must be known

basicly drag and dropping text takes a couple of steps

- select text
- press mouse
- move mouse over over an element that can accept it
- release mouse.

It is possible to mimic all the above steps but the pressing of the button
by using
javascript

a demo is provided at

http://kuperus.xs4all.nl/security/ie/xfiles.htm

it isn't very elegant but seems to work most of the time (ie acts a little
flakey at times),
there are probably better ways to do it if you know of any let me know ;)

it was tested on ie 6 sp1 + all patches

Microsoft was notified a couple of days back, haven't recieved anything back
yet

If you want to protect yourself against this disable active scripting

references:

http://webreference.com/programming/javascript/dragdropie/3.html
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/dragdrop.a
sp

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]