You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

You are here: Known Vulnerabilities in Mozilla Products (Firefox > MFSA 2006-41

Mozilla Foundation Security Advisory 2006-41

Title: File stealing by changing input type (variant)
Impact: High
Date: June 1, 2006
Reporter: Chuck McAuley
Products: Firefox, SeaMonkey

Fixed in: Firefox
  SeaMonkey 1.0.2


Chuck McAuley provided Proof-of-Concept code that demonstrates that MFSA 2006-23 was not fixed for all cases. In Firefox it is still possible to pre-fill a text input control with the path to a file at a known location and then change the type of the input control to a file upload control without having the value reset as intended.


Disable JavaScript until you have upgraded to a fixed version.