Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Full-disclosure] Firefox focus stealing vulnerability (possibly other browsers)
From: pdp (architect) (pdp.gnucitizengooglemail.com)
Date: Mon Feb 12 2007 - 18:03:16 CST
explanation of how the attack works here:
On 2/12/07, Michal Zalewski <lcamtufdione.ids.pl> wrote:
> On Mon, 12 Feb 2007, [ISO-8859-1] Claus Färber wrote:
> > A proper solution would be to keep a list of files explicitly selected
> > by the user and only allow uploads of files in this list. Then even if a
> > script can manipulate the field, the browser won't upload files that
> > have not been selected by the user.
> Not necessarily that easy: notice that it is the user who enters the name
> of a target file.
> Unless you want to prevent the browser from accepting any files that were
> not chosen using a visual file selector widget - but in such a case,
> there's not much point in having a manual file path entry box in the first
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
pdp (architect) | petko d. petkov
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/