Opera/Konqueror: data: URL scheme address bar spoofing

2007.07.21
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-Other


Ogólna skala CVSS: 2.6/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 4.9/10
Wymagany dostęp: Zdalny
Złożoność ataku: Wysoka
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

With a specially crafted web page, an attacker can redirect a www browser to the page, which URL (in the url bar) resembles an arbitrary domain choosen by the attacker. It's possible due to the fact, that some web browsers incorrectly display contents of the url bar while rendering pages based on the 'data:' URL scheme (RFC 2397). Only the ending of the URL is displayed. Padding the URL with whitespaces allows an attacker to insert an arbitrary content into the browser url bar. http://alt.swiecki.net/oper1.html Tested with: * Opera 9.21 on Win 2003SE and Win XPSP2 * Opera 9.21 on Linux * Konqueror 3.5.7 on Linux Pictures taken on my systems (using 1024x768 dekstop resolution) http://alt.swiecki.net/operalin.png http://alt.swiecki.net/operawin.png http://alt.swiecki.net/konq.png Successfull attack depends on the proper construction of the 'data:' URL. An algorithm could utilize JS document.body.clientWidth/Height properties to calculate the best url padding for the given browser. PS. Sometimes Opera web browser displays the beggining of the 'data:' URL (correct behaviour), e.g. during browser startup with immediate redirect to the last visited page. -- Robert Swiecki


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top