Mozilla Foundation Security Advisory 2008-02

Mozilla Foundation Security Advisory 2008-02

Title: Multiple file input focus stealing vulnerabilities
Impact: Moderate
Announced: February 7, 2008
Reporter: hong, Gregory Fleischer
Products: Firefox, SeaMonkey

Fixed in: Firefox 2.0.0.12
SeaMonkey 1.1.8
Description

Security researchers hong and Gregory Fleischer each reported a variant on earlier reported bugs regarding focus shifting in file input controls. Their variants used file input controls nested inside <label> tags to take advantage of automatic focus shifting into the file input field noted on the Hacker WebZine. As with the earlier reported issues this issue could be used to force a user to upload arbitrary files assuming the attacker knows the full path and name of the file.

These bugs are variations on earlier problems reported by Charles McAuley and Michal Zalewski which were fixed in Firefox 2.0.0.4, as well as an issue reported by hong which was fixed in Firefox 2.0.0.8.

Gregory Fleischer also submitted a series of demonstrations of different ways to lure a user to place focus into the file input control manually. These demonstrations included "focus spoofing" by selectively capturing keystrokes and placing the captured characters where the user thinks the focus should be.
References

* Focus shifting bugs
* https://bugzilla.mozilla.org/show_bug.cgi?bug_id=413135 (Selective keystroke capturing details embargoed pending discussions with other vendors)
* CVE-2008-0414