SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
(Original Advisory is Available) Opera Browser Shortcut Icon May Cover URL Addresses
SecurityTracker Alert ID:  1010376
SecurityTracker URL:  http://securitytracker.com/id/1010376
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 3 2004
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 7.50 and prior versions
Description:   A vulnerability was reported in the Opera browser. A remote user can spoof various status bars using a shortcut icon.

The vendor reported that a remote user can create a specially crafted shortcut icon file of an unusually wide size to cover the URL in the address line. The URLs in the address bar, page bar, and page/window cycler are affected.

The vendor credits GreyMagic with discovering this flaw.

GreyMagic indicates that a remote user can create an image that looks like an address in Opera's address bar and can include the shortcut icon with the following HTML:

<link rel="shortcut icon" href="linkToFakeAddress.gif"> A demonstration exploit example is available at:

http://security.greymagic.com/security/advisories/gm007-op/

The vendor was reportedly notified on May 19, 2004.

Impact:   A remote user can cause the address bar to appear to display an alternate URL.
Solution:   The vendor has released a fixed version (7.51), available at:

http://www.opera.com/download/

Vendor URL:  www.opera.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 3 2004 Opera Browser Shortcut Icon May Cover URL Addresses



 Source Message Contents

Subject:  [Full-Disclosure] Phishing for Opera (GM#007-OP)


GreyMagic Security Advisory GM#007-OP
=====================================

By GreyMagic Software, 03 Jun 2004.

Available in HTML format at
http://security.greymagic.com/security/advisories/gm007-op/.

Topic: Phishing for Opera.

Discovery date: 16 May 2004.

Affected applications:
======================

Opera 7.50 and prior. 


Introduction:
=============

Most browsers today implement a "Shortcut Icon" (favicon) feature. This
feature gives web-sites the option to add a small icon to the address bar
and/or favorites. 

Opera also implements this feature. However, unlike other browsers, Opera
allows the use of icons that may be large in width. 


Discussion: 
===========

It is possible to use this feature in Opera to fool users into believing
that they are in a domain they trust (their bank, web-mail, etc) while
serving and receiving content in a hostile domain. Thereby enabling identity
theft, credit card scams and more. 

This can be done by creating an icon that contains the text of the desired
site, which would be similar in appearance to the way Opera shows addresses
in the address bar. 

This alone, however, is not enough, as it will cause the real address to
appear to the right of the fake address. Unfortunately, this too can be
circumvented by tricking Opera into showing the right-hand side of the
attacking URL, while filling that side with spaces. 

The result is a very convincing fake address appearing in the address bar. 


Exploit: 
========

Create an image that looks like an address in Opera's address bar and use
the following element to include it in a page: 

<link rel="shortcut icon" href="linkToFakeAddress.gif"> 


Demonstration:
==============

A proof-of-concept demonstration of this issue is available at
http://security.greymagic.com/security/advisories/gm007-op/.


Solution: 
=========

GreyMagic informed Opera of the vulnerability on 19-May-2004. A new version
(7.51) was released on 03-Jun-2004 to address this problem.  


Tested on: 
==========

Opera 7.23.
Opera 7.50.


Disclaimer: 
===========

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind. 

GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory. 

- Copyright ) 2004 GreyMagic Software.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC