TUCoPS :: Browsers :: hack2909.htm

Opera: Location, Location, Location
Opera: Location, Location, Location

GreyMagic Security Advisory GM#008-OP

By GreyMagic Software, 05 Aug 2004.

Available in HTML format at

Topic: Location, Location, Location.

Discovery date: 19 Jul 2004.

Affected applications:

Opera 7.53 and prior on Windows, Linux and Mac. 


On 04-Feb-2003 GreyMagic released an advisory [1] concerning Opera's
security model in v7.0. The advisory depicted several flaws in Opera's
model, one of them allowed for an attacker to overwrite native and custom
functions in a victim window. When the victim web-page executed such
function, the attacker's code executed with the victim's privileges. 

Opera tried to prevent such scenarios in Opera 7.01, by blocking
write-access to objects on the victim window. 

[1] http://www.greymagic.com/security/advisories/gm002-op/ 


Unfortunately, Opera failed to block write-access to the often-used
"location" object. 

By overwriting methods in this object, an attacker can gain immediate script
access to any web-page that uses one of these methods. This includes both
web-pages in foreign domains and the victim's local file system. 

The impacts of this vulnerability include: 

* Read-access to files on the victim's file system 
* Read-access to lists of files and folders on the victim's file system 
* Read-access to emails written or received by M2, Opera's mail program 
* Cookie theft 
* URL spoofing (phishing) 
* Track user browsing history 
* Much more... 

Several methods are candidates for such attacks: assign(), replace(),
valueOf() and toString(). The first two would be triggered only when the
victim explicitly calls them. The latter ones would be called in many
implicit cases, including: 

* str+=location;
* decodeURI(location);
* location*7;
* location+"";

And many others... 

In order to gain access to the "file://" protocol, and hence to the entire
file-system, an attacker needs to know of an HTML file in the victim's file
system that actually makes a call to a method in the location object. Such
file was included in virtually all Windows Operating Systems, it is named
"CiAdmin.htm" and it can be found in a very predictable path -


To exploit this vulnerability an attacker can use a simple