For complete post (with images), please visit - http://securethoughts.com/2009/10/hijacking-operas-native-page-using-malicio us-rss-payloads/
Well, this one is a continuation of my previous post on Cross Site Scripting issues relating to RSS feed readers. In that post, I mentioned Scenario (3), but didn't discuss any details or PoC since Opera Team was actively fixing it. This issue is now fixed in the latest security update v10.01 from Opera Team.
Whitelisted HTML Tags Definition - Opera Feed Subscription Page (Source - DragonFly) (Image)
HTML Tag Sanitizer/Filter Function - Opera Feed Subscription Page (Source - DragonFly) (Image)
So, here is an example PoC exploit code which executes the opera.feeds.subscribeNative function to automatically register a feed in Opera browser without user consent. http://securethoughts.com/security/rssatomxss/opera10exploit2.atom (Tested on Opera 10.00 Stable Build 1750) (Image)
Thanks and Regards, Inferno Security Researcher SecureThoughts.com