SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Web Browser Redirection Input Validation Hole Allows Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1006178
SecurityTracker URL:  http://securitytracker.com/id/1006178
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 26 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6.x; Also, Windows versions prior to 7.02
Description:   Secunia reported an input validation vulnerability in the Opera web browser. A remote user can conduct cross-site scripting attacks.

It is reported that when Opera is configured with "Automatic redirection" disabled (which is not the default configuration), a vulnerability exists. When the browser generates a page to display a redirect, the browser reportedly does not filter user-supplied input.

If a target web server uses a redirect script that accepts user-supplied arguments, then cross-site scripting attacks may be possible. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will run in the security context of the domain that is attempting the redirect (the target web site's domain), according to the report. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit test is available via:

http://www.secunia.com/secunia_research/2003-1/exploit/?test=1

A demonstration exploit HTTP header line is provided:

Location: http://victim/<MALICIOUS_CODE>

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with certain web sites (that use redirect scripts), access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has released a fixed version (7.02) for Windows, available at:

http://www.opera.com/download/

According to the report, no vendor solution is available for Linux.

The author of the report indicates that, as a workaround, you can enable "Automatic redirection" (this is reported to be the default configuration).

Vendor URL:  www.opera.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  BeOS, Linux (Any), Apple (Legacy "classic" Mac), QNX, UNIX (FreeBSD), UNIX (macOS/OS X), UNIX (Solaris - SunOS), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Secunia Research: Opera browser Cross Site Scripting




======================================================================

                   Secunia Research 26/02/2003

              - Opera browser Cross Site Scripting -

======================================================================
Table of Contents

1..........................................................Description
2....................................................Affected Software
3.............................................................Severity
4..............................................................Exploit
5.............................................................Solution
6...........................................................Time Table
7........................................................About Secunia
8..............................................................Credits
9.........................................................Verification

======================================================================
1) Description

A vulnerability exists in the way the Opera browser generates a
temporary page for displaying a redirection, when "Automatic
redirection" is disabled (not default setting).

When Opera generates a page for displaying a redirect, it does not
strip any characters, making it possible to inject malicious script
code into the page generated by the Opera browser. This page has the
same privileges as the domain trying to redirect the user, making it
possible to steal cookies, hi-jack sessions etc. from the domain.

Eg. many websites use a "redirect-script" to redirect users. These 
scripts often take arguments without any further validation, because
their only function is to send the user to a new URL. However, when
Opera is set to not automatically redirect a user, Opera will display
this URL on a temporary page without stripping it for malicious code.

======================================================================
2) Affected Software

Following have been tested and found vulnerable:
Opera prior to 7.02 on Windows
Opera 6.x on Linux

Vendor:
http://www.opera.com/

======================================================================
3) Severity

Rating:  Less critical
Impact:  Cross Site Scripting
Where:   From Remote

======================================================================
4) Exploit

Sample exploit:
http://www.secunia.com/secunia_research/2003-1/exploit/

======================================================================
5) Solution

Vendor patch:
Windows: Update to latest version. Opera v7.02 is not vulnerable.
Linux: No update available.

Workaround:
A workaround would be to leave "Automatic redirection" enabled.

======================================================================
6) Time Table

15/02/2003 - Vulnerability discovered
16/02/2003 - Further research
17/02/2003 - Vendor informed
19/02/2003 - Vendor confirmed and fixed vulnerability
26/02/2003 - Vendor released Opera v7.02
26/02/2003 - Public disclosure of vulnerability

======================================================================
7) About Secunia

Secunia collects, validates, assesses and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website: 

http://www.secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

======================================================================
8) Credits

Jakob Balle, Secunia

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website.

http://www.secunia.com/secunia_research/2003-1/

======================================================================


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC