OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: GreyMagic Software (security_at_greymagic.com)
Date: Tue Feb 04 2003 - 09:11:55 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    GreyMagic Security Advisory GM#006-OP
    =====================================

    By GreyMagic Software, Israel.
    04 Feb 2003.

    Available in HTML format at http://security.greymagic.com/adv/gm006-op/.

    Topic: Sniffing Opera's Tracks.

    Discovery date: 29 Jan 2003.

    Affected applications:
    ======================

    Opera 7 (final).

    Introduction:
    =============

    Opera recently released a new version of its browser.

    The new browser features a very useful Javascript console, which uses a few
    methods Opera implemented in the "opera" object.

    Discussion:
    ===========

    These methods appear in the comments of the "console.html" file as follows:

    * opera.errorIndex():
    Returns the index of the last error message. This index is monotonically
    increasing (which limits us to about 2^53 errors per Opera session).

    * opera.errorMessage(i):
    Returns the error message at index i. The value returned may be #f, if that
    message has been flushed from the cache.

    Opera hadn't bothered to restrict these methods to certain credentials and
    they are available for any web page to use. At first glance this doesn't
    appear to be a big deal, but a short inspection of the generated error
    messages reveals that each of them contains the URL that threw the
    exception.

    In practice, this means that a web page can extract a list of all URLs the
    user had visited and that threw any exceptions. And since Opera pretends to
    be Internet Explorer by default, it often encounters errors in web pages.
    Harvesting visited URLs had never been this simple.

    Exploit:
    ========

    The following code will generate a list of visited URLs:

    var sMsg,
    sFinal="",
    iLen=opera.errorIndex();

    for (var iErr=0;iErr<iLen;iErr++) {
    sMsg=opera.errorMessage(iErr);
    if (sMsg && /(https?:\/\/\S+)/i.test(sMsg)) sFinal+=RegExp.$1+"\n";
    }
    alert(sFinal);

    Demonstration:
    ==============

    A proof-of-concept demonstration of this issue is available at
    http://security.greymagic.com/adv/gm006-op/.

    Solution:
    =========

    Until a patch becomes available, disable Javascript by going to: File ->
    Preferences -> Multimedia, and uncheck the "Enable JavaScript" item.

    Tested on:
    ==========

    Opera 7 NT4.
    Opera 7 Win98.
    Opera 7 Win2000.
    Opera 7 WinXP.

    Disclaimer:
    ===========

    The information in this advisory and any of its demonstrations is provided
    "as is" without warranty of any kind.

    GreyMagic Software is not liable for any direct or indirect damages caused
    as a result of using the information or demonstrations provided in any part
    of this advisory.

    Feedback:
    =========

    Please mail any questions or comments to securitygreymagic.com.

    - Copyright 2003 GreyMagic Software.