This did /not/ work in Opera 9.20/WinXPSP2 (I'm a little slow on the updates...) Seems as though this issue just got added in 9.21. - Andrew
Robert Swiecki wrote: > With a specially crafted web page, an attacker can redirect > a www browser to the page, which URL (in the url bar) resembles > an arbitrary domain choosen by the attacker. > > It's possible due to the fact, that some web browsers incorrectly > display contents of the url bar while rendering pages based on the > 'data:' URL scheme (RFC 2397). Only the ending of the URL is > displayed. Padding the URL with whitespaces allows an attacker to > insert an arbitrary content into the browser url bar. > > http://alt.swiecki.net/oper1.html > > Tested with: > * Opera 9.21 on Win 2003SE and Win XPSP2 > * Opera 9.21 on Linux > * Konqueror 3.5.7 on Linux > > Pictures taken on my systems (using 1024x768 dekstop resolution) > http://alt.swiecki.net/operalin.png > http://alt.swiecki.net/operawin.png > http://alt.swiecki.net/konq.png > > Successfull attack depends on the proper construction of the > 'data:' URL. An algorithm could utilize JS > document.body.clientWidth/Height properties to calculate the > best url padding for the given browser. > > PS. Sometimes Opera web browser displays the beggining of > the 'data:' URL (correct behaviour), e.g. during > browser startup with immediate redirect to the last visited page. > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
