Archive for juin 2012

[CVE-2012-3558] Carefully timed reloads, redirects, and navigation can spoof the address field


Advisory: Carefully timed reloads, redirects, and navigation can spoof the address field


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3558


UPDATE Link: http://www.opera.com/fr/security/advisory/1018


Announced: June 12, 2012
Reporter: Security researcher Jordi Chancel
Impact: Low
Products: Opera
Fixed in: Opera 12 and Opera 11.65


Description

The address field should always show the address of the page that is being displayed. Certain types of navigation, combined with reloads and redirects to a slowly-responding target site can cause the address field to show the target site’s address, while the attacking site is still being displayed.

Opera’s Response

Opera Software has released Opera 12 and Opera 11.65, where this issue has been fixed.


Credits

Thanks to Jordi Chancel for reporting this issue to Opera Software.


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel

[CVE-2012-3556] A combination of clicks and key presses can lead to cross site scripting or code execution


Advisory: A combination of clicks and key presses can lead to cross site scripting or code execution


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3556


UPDATE Link: http://www.opera.com/fr/security/advisory/1020


Announced: June 12, 2012
Reporter: Security researcher Jordi Chancel
Impact: Moderate
Products: Opera
Fixed in: Opera 12 and Opera 11.65


Description

When a user double clicks on a page, they may expect the two clicks to target the same object. If a page uses the first click to open a pop-up window in a predictable location, the second click may focus parts of the new window, such as its address field. If the page can then convince the user to activate a scripted URL seeded in the address field, on a newly loaded target page within the pop-up, it can allow cross site scripting against the target page. Similar attacks could also be used against Opera’s preferences to change preferences or select executables to be run by Opera. Non-trivial social engineering would be required to ensure that the user followed the desired sequence of clicks and keypresses, at precisely the right speed, while ignoring the opening and loading of pages within the pop-up.

Opera’s Response

Opera Software has released Opera 12 and Opera 11.65, where this issue has been fixed.


Credits

Thanks to Jordi Chancel for reporting this issue to Opera Software.


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel

[CVE-2012-3555] Hidden keyboard navigation can allow cross site scripting or code execution


Advisory: Hidden keyboard navigation can allow cross site scripting or code execution


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3555


UPDATE Link: http://www.opera.com/fr/security/advisory/1021


Announced: June 12, 2012
Reporter: Security researcher Jordi Chancel
Impact: Moderate
Products: Opera
Fixed in: Opera 12 and Opera 11.65


Description

When a user is interacting with a window, that window should be visible to the user, to ensure that the user realizes it is there. If a page is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can end up performing undesirable actions on that page. Similar attacks could also be used against Opera’s preferences to change preferences or select executables to be run by Opera. Additional social engineering steps are needed to ensure that the user presses the correct key sequence, without being able to show any relevant visual feedback, as the page cannot see that the keys are being pressed.

Opera’s Response

Opera Software has released Opera 12 and Opera 11.65, where this issue has been fixed. Web authors are encouraged to use the x-frame-options header, and similar clickjacking protections to ensure that their pages cannot be targeted by keyboard variations of clickjacking attacks.


Credits

Thanks to Jordi Chancel for reporting this issue to Opera Software.


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel