Bad things can happen when things are not treated as what they are. Consider the HTML tag below :
<img src=non-existent-link&onerror=alert(1) />
The browser should treat it as the following content :
<img src=”non-existent-link&onerror=alert(1)” />
Not too bad, right? But, what if the character “&” is treated as space?
<img src=”non-existent-link” onerror=”alert(1)” />
Not too great, our image tag points to something non-existent, and inadvertently triggers the onerror callback, and free javascript for everyone who comes along… in Opera 9.51. Credits to Chris Weber to the discovery.
This is the case when some character becomes a space character. ( No, the “&” character is just for easier interpretation. )
Here is a list of characters that is treated as a space character :
U+00A0
U+1680
U+180E
U+180F
U+2000 to U+200A
U+2028
U+2029
U+202F
U+205F
U+3000
The list of Chris Weber seems to be smaller, but the above are working as I tested it against with Opera 9.51 on Windows XP. So I am pretty sure those are extra. =)
I also tested on Firefox 3.0.1, Internet Explorer 7.0.5730.13, Chrome 0.2.149.29. The vulnerability does not exist there. For Safari 3.1.2 (525.21), I *think* there are not problems because it passed some of tests, but I failed to run all the tests due to its serious performance problems ( guesstimating to be memory leak? ). More on that in the next post.
—
Reference :
0 Responses to “Interesting XSS In Opera 9.51”