GreyMagic Security Advisory GM#004-OP

By GreyMagic Software, Israel.
04 Feb 2003.

Topic: Opera Images.

Discovery date: 29 Jan 2003.

Affected applications:

Opera 7 (final).

Introduction:

Opera recently released a new version of its browser.

Opera 7, just like any other browser, supports a considerable amount of image formats. Images are normally embedded in HTML documents but they can also be accessed directly via the browser.

Discussion:

By examining the HTML Opera produces when it displays a single image, it becomes obvious that Opera doesn't bother to do any formatting on the provided URL. Luckily though, Opera automatically encodes most characters in the URL, so access to other domains via this flaw becomes impossible.

However, URLs to local files (file:// protocol) do not get encoded and therefore cannot evade the very basic form of XSS: file://path/to/image.jpg?">Arbitrary HTML here.

And to make this even more comfortable for attackers, Opera provided an easy way to refer to its own installation directory - file://localhost/. So instead of searching for default images in the OS, an attacker can simply refer to file://localhost/images/file.gif, one of the few images Opera ships by default, and enjoy the following abilities:

Read any file on the user's file system.
Read the contents of directories on the user's file system.
Read emails written or received by M2, Opera's mail program.
And more...

Note: the same applies to embeddable media, such as SWF.

Exploit:

open("file://localhost/images/file.gif?\"><script>alert(location.href);</script>","","");

Demonstration:

We put together two proof-of-concept demonstrations:

Simple: Demonstrates how a single local image can be exploited.
GreyMagic Opera Disk Explorer: Browse your entire file system using this explorer-like tool, which takes advantage of this vulnerability in order to access local resources.

Solution:

Until a patch becomes available, disable Javascript by going to: File -> Preferences -> Multimedia, and uncheck the "Enable JavaScript" item.

Credits:

Many thanks to Tom Gilder for his excellent help in researching this vulnerability.

Tested on:

Opera 7 NT4.
Opera 7 Win98.
Opera 7 Win2000.
Opera 7 WinXP.

Disclaimer:

The information in this security advisory and any of its demonstrations is provided "as is" without warranty of any kind.

Vulnerability details are provided strictly for educational and defensive purposes.

GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.

Stay informed:

Subscribe to GreyMagic's early notification email service and be informed of new vulnerabilities and updates as soon as they appear on the site.

Press here to subscribe.

Your privacy is important to us, read our Privacy Statement.