[NT] Phishing for Opera

From: SecuriTeam (support_at_securiteam.com)
Date: 06/06/04

  • Next message: SecuriTeam: "[NT] Security Enhancements in Windows XP Service Pack 2"
    To: list@securiteam.com
    Date: 6 Jun 2004 19:10:20 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Phishing for Opera
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.opera.com/> Opera is "a cross-platform web browser". It is
    possible to use the shortcut icon (favicon) feature of Opera to fool a
    user into thinking he/she is in a trusted domain.

    DETAILS

    Vulnerable Systems:
     * Opera browser version 7.50 and prior

    Immune Systems:
     * Opera browser version 7.51

    The problem stems from the fact that Opera allows icons wider than normal,
    enough for the icon to seem as though it is the address bar itself. While
    the icon hides the real address, the user might be fooled into believing
    that the browser is pointing to a trusted domain when in fact the user
    might be viewing and interacting with a different domain, one that is
    hostile or malicious.

    In order to make this problem feasible to exploit, the icon must look like
    the address bar containing a proper address. This however is not enough
    because the real address will still be shown to the right of the fake
    address. Unfortunately, this too can be circumvented by tricking Opera
    into showing the right-hand side of the attacking URL, while filling that
    side with spaces.

    In order to exploit this, create an image that looks like an address in
    Opera's address bar and use the following element to include it in a page:

    <link rel="shortcut icon" href="linkToFakeAddress.gif">

    A proof-of-concept is provided for this vulnerability. Point your Opera
    web browser to
    <http://security.greymagic.com/security/advisories/gm007-op/>
    http://security.greymagic.com/security/advisories/gm007-op/.

    Vendor Status:
    The vendor has been informed and a newer version is available. Users are
    encouraged to upgrade to version 7.51.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:security@greymagic.com>
    GreyMagic Software.
    The original article can be found at:
    <http://www.greymagic.com/security/advisories/gm007-op/>
    http://www.greymagic.com/security/advisories/gm007-op/

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Security Enhancements in Windows XP Service Pack 2"

    Relevant Pages

    • [NEWS] Opera HREF Escaped Server Name Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Opera browser exhibits a failure when rendering HTML. ...
      (Securiteam)
    • [NEWS] Opera Software Opera Web Browser URL Parsing Heap Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Opera Software Opera Web Browser URL Parsing Heap Overflow ... Opera has addressed this vulnerability with version 9.02 of the Opera Web ...
      (Securiteam)
    • [NEWS] Opera Telnet URI Handler File Creation/Truncation Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Exploitation of an input validation vulnerability within Opera Software ... Under Windows XP, when telnet.exe is executed with the '-f' ... The vulnerability has been addressed in Opera 7.50. ...
      (Securiteam)
    • [NEWS] Opera Stored Cross Site Scripting Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Opera browser is vulnerable to stored Cross Site Scripting. ... Opera History Search Page Generation: ...
      (Securiteam)
    • [NT] Opera Software Opera Web Browser BitTorrent Dangling Pointer Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Opera Software Opera Web Browser BitTorrent Dangling Pointer Vulnerability ...
      (Securiteam)