Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications.
XSS enables attackers to inject client-side script into web pages, like "Mr Bean Attack", maybe you remember the attack that EU presidency site received at 4 January 2010 during the Spanish presidency, when a photo of Mr Bean replacing Spanish Prime Minister. If you don't remember nothing about this, you have to click here (it was a great joke).
Now, there is a new way to exploit this kind of vulnerabilities ...
A researcher, has spotted a new vector for exploiting XSS attack by means of file inputs fields. The main dificult is obtain a filename with specials characters (\ / : * ? ” < > |), for example:
NTFS | 255 characters max. | Any Unicode except NUL and \ / : * ? " < > |I realised it was impossible to create a cross-site scripting vector without these characters.
Look for another way to build the filename with special characters. This search was rewarded by finding "ext4" filesystem format.
ext4 | 256 bytes max. | Any byte except NUL and /All characters except "/", then you can't build <sctipt> tag attack with http link, this always includes two slashes (http://).
To resolve this problem use encodeURIComponent() to enconde the following characters: , / ? : @ & = + $ #’.
PoC and More in: http://12k.nl/post/10167884662/xss-a-new-vector-exploiting-file-inputs