Robert Swiecki posted the following message on the FD Security List this afternoon.
----------------------------
With a specially crafted web page, an attacker can redirecta www browser to the page, which URL (in the url bar) resemblesan arbitrary domain choosen by the attacker.
It's possible due to the fact, that some web browsers incorrectlydisplay contents of the url bar while rendering pages based on the'data:' URL scheme (RFC 2397). Only the ending of the URL isdisplayed. Padding the URL with whitespaces allows an attacker toinsert an arbitrary content into the browser url bar.
http://alt.swiecki.net/oper1.html
Tested with:
* Opera 9.21 on Win 2003SE and Win XPSP2
* Opera 9.21 on Linux
* Konqueror 3.5.7 on Linux
Pictures taken on my systems (using 1024x768 dekstop resolution)http://alt.swiecki.net/operalin.png
http://alt.swiecki.net/operawin.png
http://alt.swiecki.net/konq.png
Successfull attack depends on the proper construction of the'data:' URL. An algorithm could utilize JSdocument.body.clientWidth/Height properties to calculate thebest url padding for the given browser.
PS. Sometimes Opera web browser displays the beggining ofthe 'data:' URL (correct behaviour), e.g. duringbrowser startup with immediate redirect to the last visited page.
No comments:
Post a Comment