Vulnerability in the mail client in Opera 7.20 beta 1.

From: Arve Bersvendsen (
Date: 07/23/03

  • Next message: Erwann CORVELLEC: "Re: vulnerable to Cross-site Scripting"
    Date: Wed, 23 Jul 2003 15:55:23 +0200

    A vulnerability has been discovered in M2, the mail client in Opera 7.20,
    beta 1.

    Impact of vulnerability:

    Versions affected:
    Opera 7.20 Beta 1, build 2981 only. All other Opera versions are safe.

    Opera’s mail client, M2, has an option to suppress viewing of external
    embeds, turned on by default, that protects M2 users from having their e-
    mail tracked. This mechanism can be circumvented through the use of CSS.

    External embeds are typically used by senders of unsolicited commercial
    email, spam, to act as “read receipts” and are typically 0×0 invisible
    images stored on a server.

    The typical way a spammer can use such an image, from here on refered to as
    a mail bug, is by sending an HTML formatted mail, containing a link to an
    image stored on a mail server. Example:

    <img src=""
    width="0" height="0" />

    The {unique_tracker_id} is a code unique to each mail sent out, and will
    give the spammer a confirmation that the mail sent out to a particular user
    was both received and opened.

    In Opera 7.20, when a mail is viewed in the mail client, an XML document is
    created, containing the mail headers and a mail body. Opera then uses CSS
    to apply style to this document.

    <omf:mime xmlns:omf=""
    <html:link rel="stylesheet" href="file://localhost/C:\Program
    Files\Opera7\Styles\mime.css" type="text/css"/>
      <showheaders href="attachment:/135/headers.html">Display all
        <hdr name="To"><n>To</n><v></v></hdr>
      <body id='omf_body_start'>
        <div class='document'>
          <rfc822 id='1058899906'>
             { mail content goes here }
          </omf:rfc822 id='1058899906'>

    When mail is displayed it uses a stylesheet found in the file mime.css in
    the Styles subdirectory of the Opera installation folder. The mail headers
    and bodies are styled using namespace declarations in the mail:

    @namespace omf url(;
    @namespace html url(;
    omf|headers {
        /* style definitions */

    By sending a mail using Content-type: text/html, and embedding a mail with
    styles similar to the ones found in the Opera stylesheet, a malicious user
    could insert an image that is displayed in the header area of the mail. An
    example of such a mail could be:

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    <html xmlns="" xml:lang="en" lang="en">
      <style type="text/css">
       omf|headers { background-image: url( }
        { Normal mail body here }

    Opera 7.20 beta 1 will now display the image referenced to in the style
    sheet,, in the header area of the mail.

    Either downgrade to Opera 7.11, or upgrade to Opera 7.20, beta 2, build
    3014, as they are not affected by the problem.

    Opera software was notified of the problem on 2003-07-04 and acknowledged
    the problem the same day, but requested some time to create a fix. Opera
    Software released Opera 7.20 beta 2, which fixed the problem, on 2003-07-

    A HTML version of this alert can be found at

    Arve Bersvendsen

  • Next message: Erwann CORVELLEC: "Re: vulnerable to Cross-site Scripting"

    Relevant Pages

    • Opera: dove mette le password dei siti?
      ... Apro opera 10 beta e mi parte l'aggiornamento automatico. ... Se non che mi sono scomparsi una parte dei preferiti, ...
    • Re: Trojan en Clarin?
      ... No, rezarles a los de Opera, que son todos santos. ... sale una beta de Ubuntu. ... pues están ustedes perfectamente ...
    • Re: Opera 10
      ... a minute or so of thrubbing vanishes with an "Unexpectedly quit" error. ... I had some oddness with Opera 10 beta, until I cleaned up the prefs folders a bit. ... On one of my machines the beta created it's own Opera 10 Preferences folder, which was empty, and I had to move stuff in and out of it. ...
    • Re: WM5 Internet Explorer wont let me bank online anymore!
      ... or couldn't remove them on the uninstall. ... I had this problem on a WM2003 device with an early Opera beta when I ... Just on a lark, (to avoid a hard reset), why not reinstall Opera, make it ...
    • Re: Maildir is... well... gone?
      ... mail client as well. ... Tried Opera as my imap client but it was horrifically slow. ... Evolution I wasnt pleased ... Registered Linux User: #480675 ...