| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <oprsrnmlgo2ftht5@mail.online.no>
Date: Wed, 23 Jul 2003 15:55:23 +0200
From: Arve Bersvendsen <arve@...tuelvis.com>
To: bugtraq@...urityfocus.com
Subject: Vulnerability in the mail client in Opera 7.20 beta 1.
A vulnerability has been discovered in M2, the mail client in Opera 7.20,
beta 1.
Impact of vulnerability:
------------------------
Minor.
Versions affected:
------------------
Opera 7.20 Beta 1, build 2981 only. All other Opera versions are safe.
Description:
------------
Opera’s mail client, M2, has an option to suppress viewing of external
embeds, turned on by default, that protects M2 users from having their e-
mail tracked. This mechanism can be circumvented through the use of CSS.
Discussion:
-----------
External embeds are typically used by senders of unsolicited commercial
email, spam, to act as “read receipts” and are typically 0×0 invisible
images stored on a server.
The typical way a spammer can use such an image, from here on refered to as
a mail bug, is by sending an HTML formatted mail, containing a link to an
image stored on a mail server. Example:
<img src="http://exploit.example.com/img.gif?tracker=unique_tracker_id"
width="0" height="0" />
The {unique_tracker_id} is a code unique to each mail sent out, and will
give the spammer a confirmation that the mail sent out to a particular user
was both received and opened.
Details:
--------
In Opera 7.20, when a mail is viewed in the mail client, an XML document is
created, containing the mail headers and a mail body. Opera then uses CSS
to apply style to this document.
<omf:mime xmlns:omf="http://www.opera.com/2003/omf"
xmlns:html="http://www.w3.org/TR/REC-html40">
<html:link rel="stylesheet" href="file://localhost/C:\Program
Files\Opera7\Styles\mime.css" type="text/css"/>
<showheaders href="attachment:/135/headers.html">Display all
headers</showheaders>
<headers><hgrp>
<hdr name="To"><n>To</n><v>john.doe@...mple.com</v></hdr>
</hgrp></headers>
<body id='omf_body_start'>
<div class='document'>
<rfc822 id='1058899906'>
<html:body>
{ mail content goes here }
</html:body>
</omf:rfc822 id='1058899906'>
</div>
</body>
</omf:mime>
When mail is displayed it uses a stylesheet found in the file mime.css in
the Styles subdirectory of the Opera installation folder. The mail headers
and bodies are styled using namespace declarations in the mail:
@namespace omf url(http://www.opera.com/2003/omf);
@namespace html url(http://www.w3.org/TR/REC-html40);
omf|headers {
/* style definitions */
}
By sending a mail using Content-type: text/html, and embedding a mail with
styles similar to the ones found in the Opera stylesheet, a malicious user
could insert an image that is displayed in the header area of the mail. An
example of such a mail could be:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<style type="text/css">
omf|headers { background-image: url(http://www.example.com/t.png) }
</style>
</head>
<body>
{ Normal mail body here }
</body>
</html>
Opera 7.20 beta 1 will now display the image referenced to in the style
sheet, http://www.example.com/t.png, in the header area of the mail.
Solution:
---------
Either downgrade to Opera 7.11, or upgrade to Opera 7.20, beta 2, build
3014, as they are not affected by the problem.
Other:
------
Opera software was notified of the problem on 2003-07-04 and acknowledged
the problem the same day, but requested some time to create a fix. Opera
Software released Opera 7.20 beta 2, which fixed the problem, on 2003-07-
22.
A HTML version of this alert can be found at
<URL:http://www.virtuelvis.com/archives/111.html>
--
Arve Bersvendsen
http://www.virtuelvis.com
http://www.bersvendsen.com
Powered by blists - more mailing lists