91857 2003-02-26 16:57 /111 rader/ Jakob Balle <jb@secunia.com>
Importerad: 2003-02-26 16:57 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3686>
Ärende: Secunia Research: Opera browser Cross Site Scripting
------------------------------------------------------------
======================================================================
Secunia Research 26/02/2003
- Opera browser Cross Site Scripting -
======================================================================
Table of Contents
1..........................................................Description
2....................................................Affected Software
3.............................................................Severity
4..............................................................Exploit
5.............................................................Solution
6...........................................................Time Table
7........................................................About Secunia
8..............................................................Credits
9.........................................................Verification
======================================================================
1) Description
A vulnerability exists in the way the Opera browser generates a
temporary page for displaying a redirection, when "Automatic
redirection" is disabled (not default setting).
When Opera generates a page for displaying a redirect, it does not
strip any characters, making it possible to inject malicious script
code into the page generated by the Opera browser. This page has the
same privileges as the domain trying to redirect the user, making it
possible to steal cookies, hi-jack sessions etc. from the domain.
Eg. many websites use a "redirect-script" to redirect users. These
scripts often take arguments without any further validation, because
their only function is to send the user to a new URL. However, when
Opera is set to not automatically redirect a user, Opera will display
this URL on a temporary page without stripping it for malicious code.
======================================================================
2) Affected Software
Following have been tested and found vulnerable:
Opera prior to 7.02 on Windows
Opera 6.x on Linux
Vendor:
http://www.opera.com/
======================================================================
3) Severity
Rating: Less critical
Impact: Cross Site Scripting
Where: From Remote
======================================================================
4) Exploit
Sample exploit:
http://www.secunia.com/secunia_research/2003-1/exploit/
======================================================================
5) Solution
Vendor patch:
Windows: Update to latest version. Opera v7.02 is not vulnerable.
Linux: No update available.
Workaround:
A workaround would be to leave "Automatic redirection" enabled.
======================================================================
6) Time Table
15/02/2003 - Vulnerability discovered
16/02/2003 - Further research
17/02/2003 - Vendor informed
19/02/2003 - Vendor confirmed and fixed vulnerability
26/02/2003 - Vendor released Opera v7.02
26/02/2003 - Public disclosure of vulnerability
======================================================================
7) About Secunia
Secunia collects, validates, assesses and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:
http://www.secunia.com/
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
======================================================================
8) Credits
Jakob Balle, Secunia
======================================================================
9) Verification
Please verify this advisory by visiting the Secunia website.
http://www.secunia.com/secunia_research/2003-1/
======================================================================
(91857) /Jakob Balle <jb@secunia.com>/--------------
92007 2003-02-27 16:56 /50 rader/ Axel Beckert - ecos gmbh <beckert@ecos.de>
Importerad: 2003-02-27 16:56 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3702>
Kommentar till text 91857 av Jakob Balle <jb@secunia.com>
Ärende: Re: Secunia Research: Opera browser Cross Site Scripting
------------------------------------------------------------
Hi!
Am Wed, Feb 26, 2003 at 04:00:55PM +0100, Jakob Balle schrieb:
> ======================================================================
> 2) Affected Software
>
> Following have been tested and found vulnerable:
> Opera prior to 7.02 on Windows
> [...]
>
> ======================================================================
> 5) Solution
>
> Vendor patch:
> Windows: Update to latest version. Opera v7.02 is not vulnerable.
> Linux: No update available.
> [...]
>
> ======================================================================
> 6) Time Table
>
> 15/02/2003 - Vulnerability discovered
> 16/02/2003 - Further research
> 17/02/2003 - Vendor informed
> 19/02/2003 - Vendor confirmed and fixed vulnerability
> 26/02/2003 - Vendor released Opera v7.02
> 26/02/2003 - Public disclosure of vulnerability
Please note, that the Opera "Bork Edition", released on 14-Feb-2003,
calls itself on the "opera:about" page also "Opera 7.02" (build number
is "2658 Bork Edition"), but _is_ vulnerable. (Not tested, but it has
been released before the vulnerability was discovered... :-)
Kind regards, Axel Beckert
--
--------------------------------------------------------------
Axel Beckert ecos electronic communication services gmbh
IT-Securitylösungen * dynamische Webapplikationen * Consulting
Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
E-Mail: beckert@ecos.de Voice: +49 6133 939-220
WWW: http://www.ecos.de/ Fax: +49 6133 939-333
--------------------------------------------------------------
| |
| Visit us at CeBIT from 12. to 19. March 2003 |
| Messe Hannover * Halle 17 * Stand F 36 |
| http://www.cebit.de/ |
| |
--------------------------------------------------------------
(92007) /Axel Beckert - ecos gmbh <beckert@ecos.de>/