Opera Images (GM#004-OP)

From: GreyMagic Software (security@greymagic.com)
Date: 02/04/03

  • Next message: GreyMagic Software: "Sniffing Opera's Tracks (GM#006-OP)"
    From: GreyMagic Software <security@greymagic.com>
    To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
    Date: Tue, 04 Feb 2003 11:10:48 "GMT"

    GreyMagic Security Advisory GM#004-OP

    By GreyMagic Software, Israel.
    04 Feb 2003.

    Available in HTML format at http://security.greymagic.com/adv/gm004-op/.

    Topic: Opera Images.

    Discovery date: 29 Jan 2003.

    Affected applications:

    Opera 7 (final).


    Opera recently released a new version of its browser.

    Opera 7, just like any other browser, supports a considerable amount of
    image formats. Images are normally embedded in HTML documents but they can
    also be accessed directly via the browser.


    By examining the HTML Opera produces when it displays a single image, it
    becomes obvious that Opera doesn't bother to do any formatting on the
    provided URL. Luckily though, Opera automatically encodes most characters in
    the URL, so access to other domains via this flaw becomes impossible.

    However, URLs to local files (file:// protocol) do not get encoded and
    therefore cannot evade the very basic form of XSS:
    file://path/to/image.jpg?">Arbitrary HTML here.

    And to make this even more comfortable for attackers, Opera provided an easy
    way to refer to its own installation directory - file://localhost/. So
    instead of searching for default images in the OS, an attacker can simply
    refer to file://localhost/images/file.gif, one of the few images Opera ships
    by default, and enjoy the following abilities:

    * Read any file on the user's file system.
    * Read the contents of directories on the user's file system.
    * Read emails written or received by M2, Opera's mail program.
    * And more...

    Note: the same applies to embeddable media, such as SWF.




    We put together two proof-of-concept demonstrations:

    * Simple: Demonstrates how a single local image can be exploited.
    * GreyMagic Opera Disk Explorer: Browse your entire file system using this
    explorer-like tool, which takes advantage of this vulnerability in order to
    access local resources.

    They can both be found at http://security.greymagic.com/adv/gm004-op/.


    Until a patch becomes available, disable Javascript by going to: File ->
    Preferences -> Multimedia, and uncheck the "Enable JavaScript" item.

    Tested on:

    Opera 7 NT4.
    Opera 7 Win98.
    Opera 7 Win2000.
    Opera 7 WinXP.


    The information in this advisory and any of its demonstrations is provided
    "as is" without warranty of any kind.

    GreyMagic Software is not liable for any direct or indirect damages caused
    as a result of using the information or demonstrations provided in any part
    of this advisory.


    Please mail any questions or comments to security@greymagic.com.

    - Copyright 2003 GreyMagic Software.

    Relevant Pages

    • [VulnWatch] Opera Images (GM#004-OP)
      ... Available in HTML format at http://security.greymagic.com/adv/gm004-op/. ... Topic: Opera Images. ... Opera recently released a new version of its browser. ...
    • Re: Symbols charset problem
      ... but they will not change to images. ... you might want to consider grabbing a copy of Opera. ... I don't see the point in recommending a specific web browser. ... HTML quirks when you can eliminate invalid HTML and encoding as ...
    • Saving the World with Opera 9
      ... and after the download you are happy to use ... Firefox and IE just show you a progress bar to denote the page loading. ... Opera on the other hand throws a plethora of data at you. ... images loaded, you get the total data that has been transferred, and ...
    • Re: El Reg - slightly OTT
      ... If so, the answer is simple, de-install Flash. ... A significant number of ad images are, if you analyze the HTML, a link to a site that's serving flash images. ... It started to niggle when these things first bypassed the Opera graphics suppression by not using tags and Opera 7 still seemed to be slowed down by the images it wasn't displaying. ... martin@ | Martin Gregorie gregorie. ...
    • Need help with css popup text
      ... It worked exactly as I wanted it to in Opera, ... The idea is that when you mouseover any of the faces, it is lit up ... image is applied on:hover) and a "popup" appears below. ... It is not positioning the images as I ...