Login   |   Secure Purdue > News

Mozilla Firefox "OnKeyDown" Event Focus Vulnerability

A new Firefox vulnerability is caused by a design flaw within the focus handling method of form fields.  It can be exploited by changing the focus from a "textarea" field to a "file upload" form field using the "OnKeyDown" event.  This allows an arbitrary file to be loaded onto the victim's system and then uploaded to a malicious web site.  The upload requires the victim to type the file name into a "textarea" input form.  Versions of Firefox that are vulnerable include (all platforms) and (all platforms).  The current workaround is to disable Javascript support and avoid entering file names to form fields on untrusted web sites.




National Vulnerability Database


Posted by Kitch Spicer on July 05, 2007, in Handlers Log.