TUCoPS :: Browsers :: bt703.txt

Vulnerability in the mail client in Opera 7.20 beta 1.

A vulnerability has been discovered in M2, the mail client in Opera 7.20, 
beta 1.

Impact of vulnerability:

Versions affected:
Opera 7.20 Beta 1, build 2981 only. All other Opera versions are safe.

Opera’s mail client, M2, has an option to suppress viewing of external 
embeds, turned on by default, that protects M2 users from having their e- 
mail tracked. This mechanism can be circumvented through the use of CSS.

External embeds are typically used by senders of unsolicited commercial 
email, spam, to act as “read receipts” and are typically 0×0 invisible 
images stored on a server.

The typical way a spammer can use such an image, from here on refered to as 
a mail bug, is by sending an HTML formatted mail, containing a link to an 
image stored on a mail server. Example:

<img src="http://exploit.example.com/img.gif?tracker=unique_tracker_id" 
width="0" height="0" />

The {unique_tracker_id} is a code unique to each mail sent out, and will 
give the spammer a confirmation that the mail sent out to a particular user 
was both received and opened.

In Opera 7.20, when a mail is viewed in the mail client, an XML document is 
created, containing the mail headers and a mail body. Opera then uses CSS 
to apply style to this document.

<omf:mime xmlns:omf="http://www.opera.com/2003/omf" 
<html:link rel="stylesheet" href="file://localhost/C:\Program 
Files\Opera7\Styles\mime.css" type="text/css"/>
  <showheaders href="attachment:/135/headers.html">Display all 
    <hdr name="To"><n>To</n><v>john.doe@example.com</v></hdr>      
  <body id='omf_body_start'>
    <div class='document'>
      <rfc822 id='1058899906'>
         { mail content goes here }
      </omf:rfc822 id='1058899906'>

When mail is displayed it uses a stylesheet found in the file mime.css in 
the Styles subdirectory of the Opera installation folder. The mail headers 
and bodies are styled using namespace declarations in the mail:

@namespace omf url(http://www.opera.com/2003/omf);
@namespace html url(http://www.w3.org/TR/REC-html40);
omf|headers {
    /* style definitions */

By sending a mail using Content-type: text/html, and embedding a mail with 
styles similar to the ones found in the Opera stylesheet, a malicious user 
could insert an image that is displayed in the header area of the mail. An 
example of such a mail could be:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
  <style type="text/css">
   omf|headers { background-image: url(http://www.example.com/t.png) }
    { Normal mail body here }

Opera 7.20 beta 1 will now display the image referenced to in the style 
sheet, http://www.example.com/t.png, in the header area of the mail.

Either downgrade to Opera 7.11, or upgrade to Opera 7.20, beta 2, build 
3014, as they are not affected by the problem.

Opera software was notified of the problem on 2003-07-04 and acknowledged 
the problem the same day, but requested some time to create a fix. Opera 
Software released Opera 7.20 beta 2, which fixed the problem, on 2003-07- 

A HTML version of this alert can be found at 

Arve Bersvendsen


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH