 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | Universal XSS in Opera»blog.detectify.com/post/32947196···in-opera |
|
 DustynPremium
join:2003-02-26
Ontario, CAN
kudos:10 | Proof on concept fail (for me).
I don't allow access to any URL shortening services.  |
|
mysecPremium
join:2005-11-29
kudos:4
1 edit | reply to Name Game
Normally I don't pay attention to POCs since they don't always make their way into the wild.
But I looked because I see it would fail on 2 counts:
1) it requires javascript which, being white listed here, wouldn't be enabled in a redirection
2) I unshorten tiny URLs to take a peek before using them. This one reveals itself to be bogus:
----
rich |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | Thanks for looking at it rich and you thoughts. |
|
|
|
 therube
join:2004-11-11
Randallstown, MD | reply to Name Game
> I don't allow access to any URL shortening services.
How, extension?
> it requires javascript which, being white listed here
Blacklisted?
Oh, oh, oh. You're saying that you normally have JavaScript not allowed & allow as needed. (Kind of like using NoScript.) |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to Name Game
Vulnerable versions Opera for Windows, Mac and Linux to 2.12 inclusive (the latest version as of today). On versions prior to 9.50 check is not performed.
Works on desktop versions. From 9.50 to 2.12 under Windows, 12.10beta to 9.50 and did not check. Under Linux the latest work, the earlier did not check.
If anyone has the opportunity to test 12.10beta (all OS), 9.x-11.x (Linux) and 9.x-11.x (poppy), write result verification. upd: Version 12.01, 12.02 under MacOS vulnerable.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
therube
join:2004-11-11
Randallstown, MD | reply to Name Game
> Tools->Preferences->Advanced->Network and uncheck the checkbox labeled “Enable automatic redirection”
Just what does that do? |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7
1 edit | »help.opera.com/Mac/12.00/en/redirect.html
»help.opera.com/Linux/9.50/en/network.html |
|
therube
join:2004-11-11
Randallstown, MD | reply to Name Game
I'm really confused by the POC?
I (think) I understand what's happening, just not sure how it relates to anything?
Or is this the point:
quote:
This means that the javascript executes within the domain of tinyurl.com. Because of that, an attacker could read data within the domain and steal the users cookies for the domain as well.
Where it should be executing within the domain of NUL or something like that? (That is what happens in Mozilla.)
And if that's the case, anyone care to expand further on it, a "better" POC (as in let them steal tinyurl's cookies)?
And not understanding, I've even made a tinyurl myself, but again, what did I do, »forums.informaction.com/viewtopi···7#p43597 ? |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | Sorry..can't help you on your tiny URL. I personally have all that set for preview a long time ago so I know where I am going
»tinyurl.com/preview.php?num=therube
Prevention
Fortunately, there is a way to prevent accessing an unwanted URL when presented with a TinyURL link. Go to tinyurl.com and click the link on the front page labeled "Click here to enable previews." This simple fix tells TinyURL to not automatically redirect you to a TinyURL destination page. Instead, you are sent to a simple preview page that tells you the exact URL you have been sent to by the abbreviated TinyURL. From here, you can choose to either click the real link or simply close the window if the content appears to be inappropriate or dangerous.
»tinyurl.com/preview.php
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to therube
Nice work therube at that site...we all know there is risk with tinyurl
»www.ehow.com/info_12009456_tinyurl-safe.html
I think that Russian guy is trying to show cookies could be stolen...any of them you might have I guess.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
 BlackbirdBuilt for SpeedPremium
join:2005-01-14
Fort Wayne, IN
kudos:3
 ·Frontier Communi..
1 edit | reply to Name Game
I believe a major part of this issue was already discussed in early September in »Firefox, Opera allow crooks to hide an entire phish site . Namely, the misuse of compressed web-page addresses being stored in the data URI and used to display a different page than what a user may believe he's connected with. In reality, the behavior is a direct consequence of the 1998 URI standard, not a "flaw" in Opera (or Firefox). Opera chooses to follow the data URI web standard explicitly, even in this area, so as not to break legitimate usage relying on the data URI behavior involved; other browsers elect to break the standard (and any relying pages) in order to "protect" users. Depending on one's pre-disposition to safety versus standards-compliance, either approach could be argued as resulting in a browser "flaw".
In Opera's case, if such a data URI sourced page is being displayed, the badge at the left of the address box is different from that displayed for a normal website, being a red "O" instead of a blue "earth". Of course, a user may miss that or not understand its signficance, or their choice of custom skins or colors may obscure the badge details... but the notification and its purpose remain.
edited: added last para
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775 |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to Name Game
The interest I had personally in the info was because of twitter..
Different ways to shorten URL's...
5 Twitter URL Shorteners With Awesome Features
»sproutsocial.com/insights/2011/0···rteners/
But now they have their own service too
FAQs about Twitter's Link Service (»t.co)
Below are some frequently asked questions about t.co, Twitter's link-shortening service.
How does link shortening work?
Links shared on Twitter.com will automatically be shortened to a »t.co link. Learn how to shorten links here. Please note: t.co links are neither private nor public; anyone with the link will be able to view the content.
Why does Twitter have its own link shortener?
Shortened links allow you to share long URLs in a Tweet while maintaining the maximum number of characters for your message.
Our link service measures information such as how many times a link has been clicked, which is an important quality signal in determining how relevant and interesting each Tweet is when compared to similar Tweets.
Having a link shortener protects users from malicious sites that engage in spreading malware, phishing attacks, and other harmful activity. A link converted by Twitter’s link service is checked against a list of potentially dangerous sites. Users are warned with the error message below when clicking on potentially harmful URLs.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to therube
Rich uses a tool to stop access to URL Shortening Services..
there are a few out there and ways to do it..
4 Easy Ways to Decode a TinyURL
»www.friedbeef.com/4-easy-ways-to···tinyurl/
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
therube
join:2004-11-11
Randallstown, MD
1 edit | reply to Blackbird
> I believe a major part of this issue was already discussed
Right.
But if I'm understanding, the difference here, with Opera, is what I noted above, "This means that the javascript executes within the domain of tinyurl.com".
If that is the case, could someone with Opera open my tinyurl, »tinyurl.com/therube, then type "javascript:alert(document.domain)" (sans the quotes) into the address bar & tell us what it returns. (In Mozilla's case, nothing.)
Edit:
DO NOTE that "my" tinyurl.com/therube page is the same as what was discussed here, »Firefox, Opera allow crooks to hide an entire phish site, so what it may actually do, or not, I don't know. IOW, give it the same trust considerations you would any other page, none! (I say that only partially in jest, but really, don't try to log in or something like that.) |
|
BlackbirdBuilt for SpeedPremium
join:2005-01-14
Fort Wayne, IN
kudos:3 Reviews:
·Frontier Communi..
1 edit | said by therube:>... if I'm understanding, the difference here, with Opera, is what I noted above, "This means that the javascript executes within the domain of tinyurl.com".
If that is the case, could someone with Opera open my tinyurl, »tinyurl.com/therube, then type "javascript:alert(document.domain)" (sans the quotes) into the address bar & tell us what it returns. (In Mozilla's case, nothing.)
When I did that, I got a small javascript alert box on the center of my screen...
quote:
JavaScript
(about:blank)
tinyurl.com
[ ] Stop executing scripts on this page [OK]
Opera's address box does indicate the red Opera badge, as expected, for the text entered as you suggested, and the rest of the original displayed page darkens moderately when the box appears.
(This is with Opera 11.52, JavaScript enabled)
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775 |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to therube
Are you able to read all this in English..not just Russian so you can see the other issues he talks about ?
»rdot.org/forum/showthread.php?t=2444 |
|
therube
join:2004-11-11
Randallstown, MD | reply to Blackbird
quote:
JavaScript
(about:blank)
tinyurl.com
[ ] Stop executing scripts on this page [OK]
I really wasn't expecting that.
I was expecting that it might say wikimedia.com or even wikipedia.com.
So it appears that it can only "swipe the cookies" from the URL shortening service you happened to use, so like who cares.
If that is the extent of it, then to me it is a non-issue. |
|
therube
join:2004-11-11
Randallstown, MD
1 edit | reply to Name Game
> Are you able to read all this Looks like » translate.google.com doesn't work on https: :(. I'll read through when I've got some time to copy/paste. This is what one of their URLs does: <script>if(document.domain=='tinyurl.com')location.reload();
function a(){var x=new XMLHttpRequest;
x.open('GET','https://rdot.org/forum/profile.php?do=editpassword',false);
x.send(null);
alert(x.responseText.match(/name="email" value="(.+?)"/)[1])}</script><body onload=a()>
Now that looks more interesting. I've got a general idea what's happening, but anyone care to shed more light. Edit, another: <script>if(document.domain=='tinyurl.com')location.reload();
function a(){alert(document.frames[0].document.cookie)}function b(){var i=document.createElement('iframe');
i.style='width:0px;height:0px;visibility:hidden';i.src = 'http';
i.src+=document.referrer.length?'':'s';
i.src+='://forum.antichat.ru/css/a.css';
i.onload=function(){a()};document.body.appendChild(i)}</script><body onload=b()>
|
|
BlackbirdBuilt for SpeedPremium
join:2005-01-14
Fort Wayne, IN
kudos:3 Reviews:
·Frontier Communi..
| reply to therube
said by therube: ...I really wasn't expecting that.
I was expecting that it might say wikimedia.com or even wikipedia.com.
So it appears that it can only "swipe the cookies" from the URL shortening service you happened to use, so like who cares.
If that is the extent of it, then to me it is a non-issue.
In the interests of clarity, I did fail to earlier include that when I initially clicked on your tinyurl link, I was taken directly to a Wikipedia log-in page, then entering your suggested address box text resulted in the alert box I've described (along with the page darkening).
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775 |
|
