Welcome to WebmasterWorld Guest from 54.146.201.80

Forum Moderators: open

Message Too Old, No Replies

Opera "phishing" vulnerability in 7.51

     
5:43 pm on Jun 28, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:May 20, 2003
posts:493
votes: 0


... a remote user can create HTML that, when loaded by the target user, will set the URL in the status bar to an arbitrary URL.

The HTML includes an IFrame within a cascading style sheet definition and a zero second HTML Refresh statement containing a javascript command. The source URL of the iframe will be listed in the address bar.

This exploit can be used in "phishing" attacks.

[securitytracker.com...]

I believe this was the same thing that was happening on IE, right?

Jennifer

8:00 am on June 29, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member blobfisk is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 25, 2002
posts:3185
votes: 0


Nice catch Jennifer! Anything from Opera themselves on this yet?
3:40 pm on June 29, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:May 20, 2003
posts:493
votes: 0


I was looking through their forums and haven't seen a response from one of the Opera people and a fix hasn't been issued yet. This was apparently found around June 22nd.

Jennifer

8:56 pm on June 30, 2004 (gmt 0)

New User

10+ Year Member

joined:Apr 22, 2004
posts:15
votes: 0


This isn't the same as MSIE, and it's apparently rather difficult to actually exploit. To exploit it you'll have to get the victim to your site first apparently, and then use the trick. It's just a low risk vulnerability, in other words.

At least from what I can gather.