|
Full Disclosure
mailing list archives
Re: Opera/Konqueror: data: URL scheme address bar spoofing
From: Andrew Redman <aredman () education ucsb edu>
Date: Sun, 15 Jul 2007 09:55:21 -0700
This did /not/ work in Opera 9.20/WinXPSP2 (I'm a little slow on the
updates...) Seems as though this issue just got added in 9.21. - Andrew
Robert Swiecki wrote:
With a specially crafted web page, an attacker can redirect
a www browser to the page, which URL (in the url bar) resembles
an arbitrary domain choosen by the attacker.
It's possible due to the fact, that some web browsers incorrectly
display contents of the url bar while rendering pages based on the
'data:' URL scheme (RFC 2397). Only the ending of the URL is
displayed. Padding the URL with whitespaces allows an attacker to
insert an arbitrary content into the browser url bar.
http://alt.swiecki.net/oper1.html
Tested with:
* Opera 9.21 on Win 2003SE and Win XPSP2
* Opera 9.21 on Linux
* Konqueror 3.5.7 on Linux
Pictures taken on my systems (using 1024x768 dekstop resolution)
http://alt.swiecki.net/operalin.png
http://alt.swiecki.net/operawin.png
http://alt.swiecki.net/konq.png
Successfull attack depends on the proper construction of the
'data:' URL. An algorithm could utilize JS
document.body.clientWidth/Height properties to calculate the
best url padding for the given browser.
PS. Sometimes Opera web browser displays the beggining of
the 'data:' URL (correct behaviour), e.g. during
browser startup with immediate redirect to the last visited page.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
| 
Intro
