SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Web Browser Allows Cross-site Scripting Attacks Via Non-HTTP Servers
SecurityTracker Alert ID:  1003466
SecurityTracker URL:  http://securitytracker.com/id/1003466
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 7 2002
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 6.0, prior versions
Description:   Eye on Security reported a cross-site scripting vulnerability with the Opera web browser. A remote user could cause the browser to disclose cookies and other sensitive information.

A remote user can create HTML containing active scripting that, when loaded by a target user (i.e., the victim), will be executed by the target user's web browser. The active scripting can contain code to connect to a particular server via a non-HTTP port (e.g., echo, SMTP, POP3, FTP). If the non-HTTP port returns some of the content supplied by the script (as the echo port does and as do some other ports), the browser may execute the returned scripting code within an HTML page. The returned scripting code will appear to originate from the server (with the non-HTTP port) and will run in the security context of that server. As a result, the code may be able to access the target user's cookies and other information associated with the server.

A paper describing the vulnerability and an associated exploit is available at:

http://eyeonsecurity.net/papers

The following type of exploit code may trigger the vulnerability:

<script>
window.open("http://[targetserver]","w");
setTimeout("form1.submit()",300);
</script>

<form name="form1" method="post" action="http://[targetserver]:110/" enctype="multipart/form-data">
<textarea name="eostest">
user <script>alert(document.cookie)</script>
quit
</textarea>
<input type="submit" value="Submit">
</form>

The vendor has reportedly been notified.

Impact:   A remote user may be able to cause javascript to be executed on another user's web browser in the context of a web server security domain. The code may be able to access the target user's cookies associated with the web server.
Solution:   No solution was available at the time of this entry. The vendor is reportedly developing a fix for the next release.
Vendor URL:  www.opera.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA)


Advisory Title: Web Browsers vulnerable to the Extended HTML Form Attack
Release Date: 06/02/2002
Effects:
Internet Explorer 6 and older versions
Opera 6.0 and older versions


Severity:
Allows stealing of cookies, penetration of internal networks and other evil
stuff.

Author:
Obscure^
[ obscure@eyeonsecurity.net ]

Vendor Status:
Internet Explorer - Informed secure@microsoft.com and worked with them to
release a patch. Should be out soon.
Opera - Worked with the Opera team. A fix is due next release.


Web:

http://eyeonsecurity.net/papers/ - Extended HTML Form Attack


Background.

Many web browsers such as Internet Explorer allow forms to be submitted to
non-HTTP services. Some non-HTTP
services echo back the information sent, and the web browser renders the
echo as an HTML page, regardless
of the protocol behind the service.


Problem.

A malicious user can create a form which is submitted by the victim
(automatically using Active Scripting
or manually using Social Engineering). This form can cause a non-HTTP
service to echo back JavaScript commands
which in turn allow the malicious user to steal the cookie for that domain.
There are more uses for this attack, other than just stealing cookies.


Exploit Example.

available at http://eyeonsecurity.net/advisories/showMyCookie.html




Disclaimer.

The information within this document may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's
responsibility.


Feedback.

Please send suggestions, updates, and comments to:

Eye on Security
mail : obscure@eyeonsecurity.net
web : http://www.eyeonsecurity.net




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC