mailing list archives
Opera: Location, Location, Location
From: GreyMagic Software <security () greymagic com>
Date: Thu, 5 Aug 2004 13:16:52 +0200
GreyMagic Security Advisory GM#008-OP
By GreyMagic Software, 05 Aug 2004.
Available in HTML format at
Topic: Location, Location, Location.
Discovery date: 19 Jul 2004.
Opera 7.53 and prior on Windows, Linux and Mac.
On 04-Feb-2003 GreyMagic released an advisory  concerning Opera's
security model in v7.0. The advisory depicted several flaws in Opera's
model, one of them allowed for an attacker to overwrite native and custom
functions in a victim window. When the victim web-page executed such
function, the attacker's code executed with the victim's privileges.
Opera tried to prevent such scenarios in Opera 7.01, by blocking
write-access to objects on the victim window.
Unfortunately, Opera failed to block write-access to the often-used
By overwriting methods in this object, an attacker can gain immediate script
access to any web-page that uses one of these methods. This includes both
web-pages in foreign domains and the victim's local file system.
The impacts of this vulnerability include:
* Read-access to files on the victim's file system
* Read-access to lists of files and folders on the victim's file system
* Read-access to emails written or received by M2, Opera's mail program
* Cookie theft
* URL spoofing (phishing)
* Track user browsing history
* Much more...
Several methods are candidates for such attacks: assign(), replace(),
valueOf() and toString(). The first two would be triggered only when the
victim explicitly calls them. The latter ones would be called in many
implicit cases, including:
And many others...
In order to gain access to the "file://" protocol, and hence to the entire
file-system, an attacker needs to know of an HTML file in the victim's file
system that actually makes a call to a method in the location object. Such
file was included in virtually all Windows Operating Systems, it is named
"CiAdmin.htm" and it can be found in a very predictable path -
To exploit this vulnerability an attacker can use a simple <iframe>,
pointing to the victim web-page, and inject the malicious code into its
window. Here's an oversimplified example:
- Opera: Location, Location, Location GreyMagic Software (Aug 05)