[NT] Opera's "What's Next" Method Reveals Sensitive Information
From: support@securiteam.com
Date: 02/10/03
- Previous message: support@securiteam.com: "[NT] Sniffing Opera's Tracks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 10 Feb 2003 15:32:15 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Opera's "What's Next" Method Reveals Sensitive Information
------------------------------------------------------------------------
SUMMARY
Opera recently released a new version of its browser.
Like any other browser, Opera supports the "history" object, which makes
it possible to navigate through the browser history by exposing the
"back", "forward", and "go" methods.
The above methods can be called upon from a JavaScript program, allowing a
website owner to track where the user has been navigating.
DETAILS
Vulnerable systems:
* Opera version 7.0 under the Windows operating system
Immune systems:
* Opera version 7.01 under the Windows operating system
Opera exposed a little more than a few methods on the history object. It
also exposes two properties, "next" and "previous". Unlike the methods
mentioned above, these properties contain actual URLs.
This means that when a user navigates to a website, the owner can easily
check and log where the user had last been, and even where he went right
afterwards (in case the user goes back in history), regardless of whether
that previous URL referred to the owner's web site or not.
Notice that "history.previous" is not the same as the "HTTP_REFERER"
header. It will return the last URL even if it was not the direct referrer
to the current URL, which makes Opera's "Enable referrer logging"
configuration option completely pointless.
Exploit:
The following code demonstrates how to retrieve these properties:
alert("Last URL: "+history.previous+".\nNext URL: "+history.next+".");
Solution:
GreyMagic hopes that Opera will reconsider these properties and remove
them from the history object. Until then you may prefer to disable
JavaScript by going to: File -> Preferences -> Multimedia, and uncheck the
"Enable JavaScript" item.
ADDITIONAL INFORMATION
The original advisory can be found at:
<http://security.greymagic.com/adv/gm005-op/>
http://security.greymagic.com/adv/gm005-op/
The information has been provided by <mailto:security@greymagic.com>
GreyMagic Software.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NT] Opera's Image Handling Vulnerable to Cross Site Scripting"
- Previous message: support@securiteam.com: "[NT] Sniffing Opera's Tracks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
