SecuriTeam - Opera Browser Vulnerable To UTF-8 Whitespace Characters

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Opera released version 9.52 of their flagship browser about a month ago to address an issue in the way certain Unicode characters were being interpreted as white space. This behavior enabled cross-site scripting (XSS) attacks which might not otherwise be possible. Perhaps exploiting this issue would also be useful to evade HTML filters, AV's, WAFs, or other detection systems which try to prevent XSS attacks.

Credit:
The information has been provided by Chris Weber.
The original article can be found at: http://lookout.net/2008/08/26/advisory-attack-of-the-mongolian-space-evaders-and-other-medieval-xss-vectors/

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Opera verison 9.51

Immune Systems:
* Opera verison 9.52

The Unicode spec assigns binary property meta-data to code points, one of which is the 'white_space' property. In Opera's case, we could use almost any character with a Unicode white_space property to represent a normal whitespace character like U+0020.

The following code points all get treated as a space. Making things like:
<a href=#[U+180E]onclick=alert()>

possible. This list includes many of the Unicode code points with the white_space property:
U+2002 to U+200A
U+205F
U+3000
U+180E Mongolian Vowel Separator
U+1680 Ogham Space Mark

(Test cases available at: http://lookout.net/wp-content/uploads/2008/08/opera_whitespace_exploits.html)

Subject:	Extra characters affected.	Date:	22 Sep. 2008
From:	log0
Just to add a few information, as discussed with Chris. These characters are affected in Opera 9.51 as well : U+00A0 // one form of unicode space U+2000 // one form of unicode space U+2001 // one form of unicode space U+2028 // line separator in unicode 3.0 U+2029 // paragraph separator in unicode 3.0 U+202F // one form of unicode space U+180F // unused character, unknown why it is causing problem. They are in common that they are in the Zs, Zl, and Zp categories ( Thanks Chris for the hint ). More information in : http://lookout.net/2008/08/26/advisory-attack-of-the-mongolian-space-evaders-and-other-medieval-xss-vectors/ http://log0.wordpress.com/2008/09/17/xss-characters-in-opera/

	LedgerSMB Multiple Vulnerabilities
	Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
	Piwik Cookie Unserialize Vulnerability
	Invision Power Board SQL PHP File Inclusion and SQL Injection
	U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability
	DevIL DICOM Buffer Overflow Vulnerability
	Marvell Driver Multiple Information Element Overflows
	HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
	HP Color LaserJet Printers Unauthorized Access to Data and DoS
	KDE KDELibs Remote Array Overrun with Arbitrary Code Execution
	Gimp BMP Image Parsing Integer Overflow Vulnerability
	Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation
	WordPress Unrestricted File Upload Arbitrary PHP Code Execution
	Atheros Driver Reserved Frame DoS Vulnerability
	McAfee Security Manager Authentication Bypass and Session Hijacking Vulnerability