From security@greymagic.com Wed Feb 5 17:03:33 2003 From: GreyMagic Software To: "vulnwatch@vulnwatch.org" Date: Tue, 04 Feb 2003 11:12:41 "GMT" Subject: [VulnWatch] Opera: What's Next (GM#005-OP) GreyMagic Security Advisory GM#005-OP ===================================== By GreyMagic Software, Israel. 04 Feb 2003. Available in HTML format at http://security.greymagic.com/adv/gm005-op/. Topic: Opera: What's Next. Discovery date: 28 Jan 2003. Affected applications: ====================== Opera 7 (final). Introduction: ============= Opera recently released a new version of its browser. Like any other browser, Opera supports the "history" object, which makes it possible to navigate through the browser history by exposing the "back", "forward", and "go" methods. Discussion: =========== Opera exposed a little more than a few methods on the history object. It also exposes two properties, "next" and "previous". Unlike the methods mentioned above, these properties contain actual URLs. This means that when a user navigates to a website, the owner can easily check and log where the user had last been, and even where he went right afterwards (in case the user goes back in history), regardless of whether that previous URL referred to the owner's web site or not. Notice that "history.previous" is not the same as the "HTTP_REFERER" header. It will return the last URL even if it was not the direct referrer to the current URL, which makes Opera's "Enable referrer logging" configuration option completely pointless. That's a serious breach of privacy, which Opera seemed to have implemented intentionally. Exploit: ======== The following code demonstrates how to retrieve these properties: alert("Last URL: "+history.previous+".\nNext URL: "+history.next+"."); Demonstration: ============== A proof-of-concept demonstration of this issue is available at http://security.greymagic.com/adv/gm005-op/. Solution: ========= Hopefully, Opera will reconsider these properties and remove them from the history object. Until then you may prefer to disable Javascript by going to: File -> Preferences -> Multimedia, and uncheck the "Enable JavaScript" item. Tested on: ========== Opera 7 NT4. Opera 7 Win98. Opera 7 Win2000. Opera 7 WinXP. Disclaimer: =========== The information in this advisory and any of its demonstrations is provided "as is" without warranty of any kind. GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Feedback: ========= Please mail any questions or comments to security@greymagic.com. - Copyright © 2003 GreyMagic Software.