SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Browser Input Validation Flaw in opera: Protocol Permits Remote Directory Traversal
SecurityTracker Alert ID:  1008155
SecurityTracker URL:  http://securitytracker.com/id/1008155
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 12 2003
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.21 and prior versions
Description:   An input validation vulnerability was reported in the Opera web browser in the processing of "opera:" URIs. A remote user can view files on the target user's system.

It is reported that a remote user can create HTML containing the "opera:" protocol to traverse the directory on the target user's system. According to the report, the "opera:" URI is an "internal" protocol (i.e., not configured in the Windows Registry) that is used to display documentation, among other things. In certain cases, the protocol will invoke the "file://" protocol to access various files and protocols on the local system.

A remote user can reportedly use an encoded "../" string (e.g., "..%5c", "..%2f") to traverse the target user's directory and access files on the target user's system.

Impact:   A remote user can view files on the target user's system.
Solution:   The vendor has released a fixed version (7.22), available at:

http://www.opera.com/download/

Vendor URL:  www.opera.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Opera Directory Traversal in Internal URI Protocol (Advisory)


--0-673910937-1068633078=:70354
Content-Type: text/plain; charset=us-ascii
Content-Id: 
Content-Disposition: inline

 
 

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree
--0-673910937-1068633078=:70354
Content-Type: text/plain; name="Opera Directory Traversal ADVISORY.txt"
Content-Description: Opera Directory Traversal ADVISORY.txt
Content-Disposition: inline; filename="Opera Directory Traversal ADVISORY.txt"




Opera Web Browser Directory Traversal in Internal URI Protocol
==============================================================




I ABSTRACT:


Opera Web Browser defines an internal URI Protocol like command called "opera:". Among other things, it is used to display documentation
 and help files for the browser. It has an input validation flaw that enables directory traversal.

This flaw is an aggravating factor when combined with other vulns. In this case, it can be combined with the "Opera Skinned" vulnerability
 that has been described in the attached file.



II VERSIONS AFFECTED:

All versions upto and inculding 7.21 that support the flawed command are vulnerable. Version 7.22 contains the fix. 



III TECHNICAL DETAILS:


NOTE: It is assumed that Opera is installed in the default location i.e., "c:\program files\opera7" for the purpose of this description.
 However, a default install is *not* necessary for exploitation.

"Opera:" is an internal URI protocol-like command used by Opera. "Internal" because it is not registered as a URI protocol in the
 Windows Registry. One of its uses is to display documentation. For instance, to see help, "opera:/help/" is used. This points to
 the "C:\Program Files\Opera7\help" directory on the file system. The html files in this folder can be accessed through this relative
 URL, like, "opera:/help/foo.html". When a local path is requested through "opera:" in the form of a legal "opera:/help/" URL, it
 uses the service of the "file://" protocol. For instance, "opera:/help/" redirects the browser to "file://localhost/C:/Program Files/Opera7/Help/index.html".

"opera:history", "opera:plugins", "opera:cache" and "opera:drives" are other known uses for this command. Their function is self-explanatory.
 "about:" is an alias for "opera:". For instance, "about:history" translates to "opera:history".

The problem here is that though, using "../" for directory traversal in the opera: command is not allowed and Opera responds with
 an "illegal address" prompt, this can easily be bypassed using "..%5c" or "..%2f" to break out of the /help/ directory. 

For instance, using "opera:/help/..%5c..%5c..%5cwinnt/notepad.exe" downloads "notepad.exe" from the "winnt" folder.



IV EXPLOITATION SCENARIOS & EXPLOIT:


Exploits that depend on knowing the installation path of Opera are helped by this vulnerability. The command "opera:/help/" always
 points to the "<opera directory>/help/" directory. This can be used as a reference point for exploits because of the directory traversal.
 For instance, "opera:/help/..%5c" points to the Opera Directory. 

The exploit attached with the advisories uses this vulnerability for getting the correct path of the "<opera dir>/profile/" folder
 for exploitation.



V VENDOR RESPONSE & SOLUTION:

The vendor, Opera Software, deserves special mention here. I had previously read about Opera Soft's promptness in resolving security
 vulnerabilities in their products. My experience with them is one of the best I ever had with any vendor. I hope they continue to
 maintain their good record even with future security issues.

An updated version with a fix(7.22) is available from the site - http://www.opera.com/download/




VI. CREDIT:


S.G.Masood (sgmasood@yahoo.com)

Hyderabad,
India.


VII. DISCLAIMER:

This advisory is meant only for the dissemination of information, alerting the general public about a security issue. Use this information
 at your own discretion.

In brief, the author is not responsible for any use, misuse, abuse of this information. Also, this information is provided "as is"
 without any warranty of any kind. 

*PHEW*

EOF




--0-673910937-1068633078=:70354--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC