Jordi Chancel Security Research Blog

Recherche et Exploitation de Vulnérabilités des Navigateurs Web

Articles récents

[CVE-2018-5182] Local file can be displayed from hyperlink dragged and dropped on Addressbar
[CVE-2017-7834] Data: URLs opened in new tabs bypass CSP protections
[CVE-2017-7770] Addressbar spoofing with JavaScript events and fullscreen mode on Firefox for Android
[CVE-2017-5451] Addressbar spoofing with onblur event
[CVE-2017-5452] Addressbar spoofing during scrolling with editable content on Firefox for Android
[CVE-2017-5041] Google Chrome Location Bar URL & SSL Spoofing in Omnibox
[CVE-2017-5394] Android location bar spoofing using fullscreen and JavaScript events
[CVE-2017-5395] Android location bar spoofing during scrolling
[CVE-2016-5298] SSL indicator can mislead the user about the real URL visited
[CVE-2016-2822] Addressbar spoofing though the SELECT element
[CVE-2016-1967] Same-origin policy violation using perfomance.getEntries and history navigation with session restore
[CVE-2016-1941] Delay following click events in file download dialog too short on OS X
[CVE-2016-1943] Location Bar Spoofing Risk – scrollto leads to that the location bar is hidden
[CVE-2016-1942] Location bar continues displaying wyciwyg URI and resource URI if user tries to navigate to it manually
[CVE 2015-7186] Reading sensitive profile files through local HTML file on Android
[CVE 2015-7185] Firefox for Android addressbar can be removed after fullscreen mode
[CVE 2015-4476] Site attribute spoofing on Android by pasting URL with unknown scheme
[CVE 2015-0810] Cursor clickjacking with flash and images
[CVE 2014-1539] Clickjacking through cursor invisibility after Flash interaction
[Opera Security Advisory DNA-19280] Address bar spoofing with Data URIs
[Opera Security Advisory DNA-18354] Address bar spoofing with downloads
[CVE 2014-1480] UI selection timeout missing on download prompts
[CVE-2014-1870] Address bar spoofing on Mac platform with drag and drop
[CVE 2013-5593] Spoofing addressbar though SELECT element
[CVE 2012-4200] Location Bar URL and SSL Spoofing
[CVE 2012-3984] SELECT element persistance allows for attacks
[CVE-2012-6460] Truncated dialogs may be used to trick users
[CVE-2012-4143] Small windows can be used in several ways to trick users into executing downloads
[CVE-2012-3558] Carefully timed reloads, redirects, and navigation can spoof the address field
[CVE-2012-3556] A combination of clicks and key presses can lead to cross site scripting or code execution
[CVE-2012-3555] Hidden keyboard navigation can allow cross site scripting or code execution
[CVE 2012-0474] Page load short-circuit can lead to XSS
[CVE-2012-1925] Overlapping content can trick users into executing downloads
[CVE-2012-1924] Small windows can be used to trick users into executing downloads
[CVE-2012-1928] Carefully timed reloads and redirects can spoof the address field
[CVE-2011-2845] URL bar spoof in history handling (URL & SSL indicator Spoofing)
[CVE-2011-3875] URL bar spoof with drag+drop of URLs
[CVE-2011-2848] URL bar spoof with forward button / Possible URL Bar Spoofing when history.forward() is ignored using forward button
[CVE 2011-2377] Memory corruption due to multipart/x-mixed-replace images
[CVE-2011-1452] URL bar spoof with redirect and manual reload / URL Bar Spoofing using redirection and location.reload()
[CVE 2011-0061] Buffer OverFlow/Crash caused by corrupted JPEG image
[CVE-2011-1107] Google Chrome Location Bar URL/SSL Spoofing And Login/Password stealing
[CVE-2011-0682] Large form inputs can allow execution of arbitrary code
[CVE 2010-4045] Opera 10.62 Reloads and redirects can allow spoofing, universal cross site scripting and Command/code Execution
[CVE 2010-2751] SSL spoofing with history.back() and history.forward()
[CVE-2010-1663] Google Chrome Cross Origin Bypass in Google URL (GURL)
[CVE 2009-3985] URL spoofing via invalid document.location

Commentaires récents

Maor Shwartz dans Recherche en vulnérabilité informatique

Catégories

Non classé

Méta

[Opera Security Advisory DNA-19280] Address bar spoofing with Data URIs

Advisory: Address bar spoofing with Data URIs

UPDATE Link: http://www.opera.com/blogs/security/2014/05/security-changes-opera-21/

Announced: May 6, 2014
Reporter: Security researcher Jordi Chancel
Impact: Low
Products: Opera
Fixed in: Opera 21

Description

When a user chooses to open a link in a new tab, this should still display the address as normal. However, with Data URIs, Opera would accidentally right-align the address field, showing the wrong end of the address. Again, this could allow a specially crafted URL to show what appeared to be a domain name, but which was actually path data. As with the previous bug, it would be missing the domain highlight, but may be enough to fool some users.

Opera’s Response

Opera Software has released Opera 21, where this issue has been fixed.

Credits

Reported by Jordi Chancel.

Vidéo de démonstration :

-Security Researcher Jordi Chancel