Stealing files from Internet Explorer 6 users is extremely easy if the user can be induced into typing a sufficient amount of text. Any well-known file could be targeted and automatically upload once the proper characters are captured.
The following series of blog posts explore these demonstrations in detail:
These demonstrations are based ideas presented by Charles McAuley in June of 2006: file upload widgets in IE and Firefox have issues and Bart van Arnhem: Re: file upload widgets in IE and Firefox have issues. By combining the two concepts, stealing files is nearly trivial.
Internet Explorer 6 - File Stealing - Demo 1: A simple demonstration of McAuley's discovery shows how vowels can be selectively captured into a file element. Notice that the letters are captured in reverse order.
Internet Explorer 6 - File Stealing - Demo 2: Capture the boot.ini file. The letters must be entered in reverse order for it to work.
Internet Explorer 6 - File Stealing - Demo 3: Capture the boot.ini file. This demonstration integrates van Arnhem's observations. Notice how the letters are now captured in any order.
Internet Explorer 6 - File Stealing - Demo 4: Capture the boot.ini file. The backslash character ('\') rarely appears in typed text on the Internet. But, Internet Explorer treats the forward slash character ('/') as interchangeable when submitting files though. Since, the forward slash appears often in website addresses, programming expressions, etc., this is captured as well.
Internet Explorer 6 - File Stealing - Demo 5: Capture the boot.ini file. Multiple input fields are added and each can be independently redirected to file input. The presentation of these fields is more plausible than a single large field.
Internet Explorer 6 - File Stealing - Final: Capture any file that is desired. By unchecking "Standalone Demo?" the file will be submitted in the background. The actual file input element is hidden off-screen at a negative absolute position.