By GreyMagic Software, Israel.
05 Aug 2004.

Topic: Location, Location, Location.

Discovery date: 19 Jul 2004.

Affected applications:
Opera 7.53 and prior on Windows, Linux and Mac.


On 04-Feb-2003 GreyMagic released an advisory ( ) concerning Opera's security model in v7.0. The advisory depicted several flaws in Opera's model, one of them allowed for an attacker to overwrite native and custom functions in a victim window. When the victim web-page executed such function, the attacker's code executed with the victim's privileges.

Opera tried to prevent such scenarios in Opera 7.01, by blocking write-access to objects on the victim window.


Unfortunately, Opera failed to block write-access to the often-used "location" object.

By overwriting methods in this object, an attacker can gain immediate script access to any web-page that uses one of these methods. This includes both web-pages in foreign domains and the victim's local file system.

The impacts of this vulnerability include:
Read-access to files on the victim's file system
Read-access to lists of files and folders on the victim's file system
Read-access to emails written or received by M2, Opera's mail program
Cookie theft
URL spoofing (phishing)
Track user browsing history
Much more...

Several methods are candidates for such attacks: assign(), replace(), valueOf() and toString(). The first two would be triggered only when the victim explicitly calls them. The latter ones would be called in many implicit cases, including:


And many others...

In order to gain access to the "file://" protocol, and hence to the entire file-system, an attacker needs to know of an HTML file in the victim's file system that actually makes a call to a method in the location object. Such file was included in virtually all Windows Operating Systems, it is named "CiAdmin.htm" and it can be found in a very predictable path - %SystemRoot%/Help/.


To exploit this vulnerability an attacker can use a simple <iframe>, pointing to the victim web-page, and inject the malicious code into its window. Here's an oversimplified example:

<script type="text/javascript">
onload=function () {
var oVictim=frames[0];
oVictim.location.replace=function () {
oVictim.alert("We now have full file system access using "+location.href);

This code demonstrates how the vulnerability works, but it is not likely to succeed in exploiting it by itself. This happens because the malicious code must be injected in the time-gap between page initiation and page script execution. This leaves a very narrow window for an attacker to inject code, but with a bit of scripting this window of opportunity can easily be found. The demonstrations below use simple brute-force and retry mechanisms to inject our code successfully.


We put together two harmless proof-of-concept demonstrations:
Simple: Reads c:/test.txt and displays it.
GreyMagic Opera Disk Explorer: Demonstrates how easy it is to access the victim's entire file system using this vulnerability, with an explorer-like page.


GreyMagic informed Opera of the vulnerability on 22-Jul-2004. A new version (7.54) was officially released on 05-Aug-2004 to address this problem.
Tested on:

Opera 7.52.
Opera 7.53.


The information in this advisory and any of its demonstrations is provided "as is" without warranty of any kind.

GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.
For more information, visit here.