Firefox, Thunderbird & SeaMonkeyPost your questions about Mozilla based products (Firefox, Thunderbird & SeaMonkey) here.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
DESCRIPTION:
Charles McAuley has reported a vulnerability in Firefox, which can be
exploited by malicious people to trick users into disclosing sensitive
information.
The vulnerability is caused due to a design error where a script can
cancel certain keystroke events when entering text. This can be
exploited to trick a user into typing a filename in a file upload
input field by changing focus and cancel the "OnKeyPress" JavaScript
event on certain characters.
Successful exploitation allows an arbitrary file on the user's system
to be uploaded to a malicious web site, but requires that the user
types a text containing the characters of the filename.
The vulnerability has been confirmed in version 1.5.0.4. Other
versions may also be affected.
SOLUTION:
Disable JavaScript support.
Do not enter suspicious text when visiting untrusted web sites.
PROVIDED AND/OR DISCOVERED BY:
Charles McAuley
NOTE: A variant of this vulnerability was reported in a Mozilla
Bugzilla bug entry back in year 2000.
