Stalemate
September 8th, 2004, 10:02 AM
http://www.greymagic.com/security/advisories/gm008-op/
Introduction:
On 04-Feb-2003 GreyMagic released an advisory (http://www.greymagic.com/security/advisories/gm002-op/) concerning Opera's security model in v7.0. The advisory depicted several flaws in Opera's model, one of them allowed for an attacker to overwrite native and custom functions in a victim window. When the victim web-page executed such function, the attacker's code executed with the victim's privileges.
Opera tried to prevent such scenarios in Opera 7.01, by blocking write-access to objects on the victim window.
Discussion:
Unfortunately, Opera failed to block write-access to the often-used "location" object.
By overwriting methods in this object, an attacker can gain immediate script access to any web-page that uses one of these methods. This includes both web-pages in foreign domains and the victim's local file system.
The impacts of this vulnerability include:
Read-access to files on the victim's file system Read-access to lists of files and folders on the victim's file system Read-access to emails written or received by M2, Opera's mail program Cookie theft URL spoofing (phishing) Track user browsing history Much more...
Introduction:
On 04-Feb-2003 GreyMagic released an advisory (http://www.greymagic.com/security/advisories/gm002-op/) concerning Opera's security model in v7.0. The advisory depicted several flaws in Opera's model, one of them allowed for an attacker to overwrite native and custom functions in a victim window. When the victim web-page executed such function, the attacker's code executed with the victim's privileges.
Opera tried to prevent such scenarios in Opera 7.01, by blocking write-access to objects on the victim window.
Discussion:
Unfortunately, Opera failed to block write-access to the often-used "location" object.
By overwriting methods in this object, an attacker can gain immediate script access to any web-page that uses one of these methods. This includes both web-pages in foreign domains and the victim's local file system.
The impacts of this vulnerability include:
Read-access to files on the victim's file system Read-access to lists of files and folders on the victim's file system Read-access to emails written or received by M2, Opera's mail program Cookie theft URL spoofing (phishing) Track user browsing history Much more...