Vulnerability in the mail client in Opera 7.20 beta 1.

From: Arve Bersvendsen (arve_at_virtuelvis.com)
Date: 07/23/03

  • Next message: Erwann CORVELLEC: "Re: CGI.pm vulnerable to Cross-site Scripting"
    To: bugtraq@securityfocus.com
    Date: Wed, 23 Jul 2003 15:55:23 +0200
    
    

    A vulnerability has been discovered in M2, the mail client in Opera 7.20,
    beta 1.

    Impact of vulnerability:
    ------------------------
    Minor.

    Versions affected:
    ------------------
    Opera 7.20 Beta 1, build 2981 only. All other Opera versions are safe.

    Description:
    ------------
    Opera’s mail client, M2, has an option to suppress viewing of external
    embeds, turned on by default, that protects M2 users from having their e-
    mail tracked. This mechanism can be circumvented through the use of CSS.

    Discussion:
    -----------
    External embeds are typically used by senders of unsolicited commercial
    email, spam, to act as “read receipts” and are typically 0×0 invisible
    images stored on a server.

    The typical way a spammer can use such an image, from here on refered to as
    a mail bug, is by sending an HTML formatted mail, containing a link to an
    image stored on a mail server. Example:

    <img src="http://exploit.example.com/img.gif?tracker=unique_tracker_id"
    width="0" height="0" />

    The {unique_tracker_id} is a code unique to each mail sent out, and will
    give the spammer a confirmation that the mail sent out to a particular user
    was both received and opened.

    Details:
    --------
    In Opera 7.20, when a mail is viewed in the mail client, an XML document is
    created, containing the mail headers and a mail body. Opera then uses CSS
    to apply style to this document.

    <omf:mime xmlns:omf="http://www.opera.com/2003/omf"
    xmlns:html="http://www.w3.org/TR/REC-html40">
    <html:link rel="stylesheet" href="file://localhost/C:\Program
    Files\Opera7\Styles\mime.css" type="text/css"/>
      <showheaders href="attachment:/135/headers.html">Display all
    headers</showheaders>
      <headers><hgrp>
        <hdr name="To"><n>To</n><v>john.doe@example.com</v></hdr>
    </hgrp></headers>
      <body id='omf_body_start'>
        <div class='document'>
          <rfc822 id='1058899906'>
          <html:body>
             { mail content goes here }
          </html:body>
          </omf:rfc822 id='1058899906'>
        </div>
      </body>
    </omf:mime>

    When mail is displayed it uses a stylesheet found in the file mime.css in
    the Styles subdirectory of the Opera installation folder. The mail headers
    and bodies are styled using namespace declarations in the mail:

    @namespace omf url(http://www.opera.com/2003/omf);
    @namespace html url(http://www.w3.org/TR/REC-html40);
    omf|headers {
        /* style definitions */
    }

    By sending a mail using Content-type: text/html, and embedding a mail with
    styles similar to the ones found in the Opera stylesheet, a malicious user
    could insert an image that is displayed in the header area of the mail. An
    example of such a mail could be:

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
     <head>
      <style type="text/css">
       omf|headers { background-image: url(http://www.example.com/t.png) }
      </style>
     </head>
     <body>
        { Normal mail body here }
     </body>
    </html>

    Opera 7.20 beta 1 will now display the image referenced to in the style
    sheet, http://www.example.com/t.png, in the header area of the mail.

    Solution:
    ---------
    Either downgrade to Opera 7.11, or upgrade to Opera 7.20, beta 2, build
    3014, as they are not affected by the problem.

    Other:
    ------
    Opera software was notified of the problem on 2003-07-04 and acknowledged
    the problem the same day, but requested some time to create a fix. Opera
    Software released Opera 7.20 beta 2, which fixed the problem, on 2003-07-
    22.

    A HTML version of this alert can be found at
    <URL:http://www.virtuelvis.com/archives/111.html>

    -- 
    Arve Bersvendsen
    http://www.virtuelvis.com
    http://www.bersvendsen.com
    

  • Next message: Erwann CORVELLEC: "Re: CGI.pm vulnerable to Cross-site Scripting"

    Relevant Pages

    • Opera: dove mette le password dei siti?
      ... Apro opera 10 beta e mi parte l'aggiornamento automatico. ... Se non che mi sono scomparsi una parte dei preferiti, ...
      (it.comp.macintosh)
    • Re: Trojan en Clarin?
      ... No, rezarles a los de Opera, que son todos santos. ... sale una beta de Ubuntu. ... pues están ustedes perfectamente ...
      (soc.culture.argentina)
    • Re: Opera 10
      ... a minute or so of thrubbing vanishes with an "Unexpectedly quit" error. ... I had some oddness with Opera 10 beta, until I cleaned up the prefs folders a bit. ... On one of my machines the beta created it's own Opera 10 Preferences folder, which was empty, and I had to move stuff in and out of it. ...
      (uk.comp.sys.mac)
    • Re: WM5 Internet Explorer wont let me bank online anymore!
      ... or couldn't remove them on the uninstall. ... I had this problem on a WM2003 device with an early Opera beta when I ... Just on a lark, (to avoid a hard reset), why not reinstall Opera, make it ...
      (microsoft.public.pocketpc)
    • Re: Maildir is... well... gone?
      ... mail client as well. ... Tried Opera as my imap client but it was horrifically slow. ... Evolution I wasnt pleased ... Registered Linux User: #480675 ...
      (Ubuntu)