Hi everybody,

Anyone remember the Firefox focus stealing bug disclosure by Michal Zalewski?
[lcamtuf.coredump.cx]

New versions of firefox restrict that it cannot transfer the focus to file input directly, but there is a way do this indirectly, which is using label. When a label get focus, the focus will transfer to other element pointed by the "for" attribute. So it can bypass the restriction.

I wrote a demo. This demo is very simple. when you input some text in the textarea, the file input element's value will also change to it. I tested it on Firefox 1.5.0.12 and 2.0.0.4.
[yathong.googlepages.com]

- Hong

Clever Hong, the PoC works here.

Very nice find again!

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>

That's awesome Hong, thanks for posting it here, :)

It makes me feel like I should sit down and really learn html.

Any of you read the XHTML2 draft? the src attribute will work on almost any element. So for instance:
<img src="file.gif" alt="alternate text" />
Will be identical to:
<p src="file.gif">alternate text</p>

That could potentially mean a lot more places to launch CSRF from.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

@WhiteAcid

Wow... you are right, I did not find the time to browse through it yet, but I guess it would be a good idea.

Nice find Hong ;) Btw, I must look closer to XHTML2 draft, too ...

[www.security-net.biz] | [zastita.com]

Is [www.securiteam.com] stealing credit for this?

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer