[Full-disclosure] New flaw found in Firefox 2.0.0.4: Firefox file input focus vulnerabilities

[ascii]

carl hardwick wrote:
> PoC here: http://yathong.googlepages.com/FirefoxFocusBug.html
>
> The vulnerability allows the attacker to silently redirect focus of
> selected key press events to an otherwise protected file upload form
> field. This is possible because of how onKeyDown event is handled,
> allowing the focus to be moved between the two. This enables the
> attacker to read arbitrary files on victim's system.

many thanks for sharing this : )

it's a pretty serious vulnerability as said by Zalewski

regards,
Francesco `ascii` Ongaro
http://www.ush.it