This page demonstrates an exploit of the CSS opacity style when applied to
a file input element. If the user types in the path to a file, it will be sent/uploaded
to the form post destination. Note that this exploit works with Internet Explorer,
Mozilla, and any browser which allows file input elements to be styled with
opacity. This exploit does NOT actually upload any files but it could be easily
modified to do so.
Inspiration for this exploit came from
article on styling the
file input element and
Michael McGrady for suggesting the method.
While it is not a perfect, or particularly subtle, implementation, this exploit
demonstrates why file input elements must not be allowed to accept most style changes.