lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sun, 15 Jul 2007 09:55:21 -0700
From: Andrew Redman <aredman@...cation.ucsb.edu>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Opera/Konqueror: data: URL scheme address bar
 spoofing

This did /not/ work in Opera 9.20/WinXPSP2 (I'm a little slow on the 
updates...) Seems as though this issue just got added in 9.21. - Andrew

Robert Swiecki wrote:
> With a specially crafted web page, an attacker can redirect
> a www browser to the page, which URL (in the url bar) resembles
> an arbitrary domain choosen by the attacker.
>
> It's possible due to the fact, that some web browsers incorrectly
> display contents of the url bar while rendering pages based on the
> 'data:' URL scheme (RFC 2397). Only the ending of the URL is
> displayed. Padding the URL with whitespaces allows an attacker to
> insert an arbitrary content into the browser url bar.
>
> http://alt.swiecki.net/oper1.html
>
> Tested with:
>  * Opera 9.21 on Win 2003SE and Win XPSP2
>  * Opera 9.21 on Linux
>  * Konqueror 3.5.7 on Linux
>
> Pictures taken on my systems (using 1024x768 dekstop resolution)
> http://alt.swiecki.net/operalin.png
> http://alt.swiecki.net/operawin.png
> http://alt.swiecki.net/konq.png
>
> Successfull attack depends on the proper construction of the
> 'data:' URL. An algorithm could utilize JS
> document.body.clientWidth/Height properties to calculate the
> best url padding for the given browser.
>
> PS. Sometimes Opera web browser displays the beggining of
> the 'data:' URL (correct behaviour), e.g. during
> browser startup with immediate redirect to the last visited page.
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ