QUIZ

1. What is the complete filespec of the registry file in Windows XP?

This page demonstrates an exploit of the CSS opacity style when applied to a file input element. If the user types in the path to a file, it will be sent/uploaded to the form post destination. Note that this exploit works with Internet Explorer, Mozilla, and any browser which allows file input elements to be styled with opacity. This exploit does NOT actually upload any files but it could be easily modified to do so.

Inspiration for this exploit came from Peter-Paul Koch's article on styling the file input element and Michael McGrady for suggesting the method.

While it is not a perfect, or particularly subtle, implementation, this exploit demonstrates why file input elements must not be allowed to accept most style changes.