Internet Explorer File Focus Stealing.

Publicated on : 1192604434
Remember the file focus stealing hack constructed by Hong for Firefox? If you visit my webzine you probably will. It was an excellent exploit because it used the html "for" attribute on a label to steal focus. I ported this bad ass exploit to Internet Explorer. The reason I want to show you this, is because how a simple change in thinking can lead to a cross browser exploit. Often a new vulnerability won't work in all browsers, because all browser have different restrictions. Since I had nothing better to do and wanted to launch a 0day tonight, I set myself one goal: I wanted to find a vulnerability in under 1 hour. This snippet steals focus, if correctly implemented, it could be used on a website that uploads any file from your PC and sends it to a remote server without you knowing. But that is beyond the scope of a proof of concept. Notice that this version for MSIE is different because I set the htmlFor attribute on typing in the textarea.

This is how it works: normally due security restrictions Javascript is not allowed to set focus or/and to give a value on a file upload field. Because if you did that and it was allowed we could upload any file from a PC. So browser vendors implemented security restrictions on the file field in a form. This way it should only be possible for the computer owner to select a file in order to upload it. With this exploit we show that it is possible to steal focus from the user and bypass the browsers security restrictions. Now, due to the onkeydown() event we can transfer focus through the <label> into the file field, which completes our exploit. You can test it while typing into the textarea, you will notice that every input will be transfered to the file field.

Solution: Firefox is also still vulnerable, so as always use one of the best browsers around: Opera!