From sandblad@acc.umu.se Thu May 16 05:54:43 2002 From: Andreas Sandblad To: bugtraq@securityfocus.com Date: Wed, 15 May 2002 18:57:59 +0200 (CEST) Subject: Opera javascript protocoll vulnerability [Sandblad advisory #6] - Sandblad advisory #6 - ---..---..---..---..---..---..---..---..---..---..---..---..---- Title: Opera javascript protocoll vulnerability Date: [2002-05-15] Software: At least Opera 6.01, 6.0, 5.12 (win) Rating: High because Opera is assumed to be secure Impact: Read cookies/local filestructure/cache Vendor: Opera has confirmed the vulnerability and released today a new version 6.02 fixing the issue. http://www.opera.com/ _ _ Workaround: Disable javascript. o' \,=./ `o Author: Andreas Sandblad, sandblad@acc.umu.se (o o) ---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--- DESCRIPTION: ============ Opera allows the location of a frame to be overwritten by an url containing the javascript protocoll. The javascript code will be operating in the same domain as the url that was overwritten. Thus we can read cookies from other domains, local file structure and private information from the cache (history of links visited). EXPLOIT I: ========== The following exploit has been tested to work on Opera 6.01, 6.0 (win). It will not work on 5.x because it requires the iframe feature. ------------------- CUT HERE -----------------------------------
Read google cookie
Read c:/ structure (win)
Read links in cache
------------------- CUT HERE ----------------------------------- EXPLOIT II: =========== For versions of Opera not supporting the iframe tag the exploit must be done using the frame tag instead. The following exploit has been tested on Opera 6.01, 6.0, 5.12 (win). ------------------- CUT HERE ----------------------------------- ------------------- CUT HERE ----------------------------------- payload.html: ------------------- CUT HERE ----------------------------------- Google cookie
First item in cache
First file/directory in c:\ (win) ------------------- CUT HERE ----------------------------------- Disclaimer: =========== Andreas Sandblad is not responsible for the misuse of the information provided in this advisory. The opinions expressed are my own and not of any company. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this advisory. Any use of the information is at the user's own risk. Old advisories: =============== #5 [2002-04-26] "Mp3 file can execute code in Winamp." http://online.securityfocus.com/archive/1/269724 #4 [2002-04-15] "Using the backbutton in IE is dangerous." http://online.securityfocus.com/archive/1/267561 Feedback: ========= Please send suggestions and comments to: _ _ sandblad@acc.umu.se o' \,=./ `o (o o) ---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--- Andreas Sandblad, student in Engineering Physics at the University of Umea, Sweden. -/---/---/---/---/---/---/---/---/---/---/---/---/---/---/---/--