Page MenuHomePhabricator

Opera 12 -o-link XSS (user interaction required)
Closed, ResolvedPublic

Description

Adding this to a page will execute javascript when clicked. This is a variant of http://html5sec.org/#9.

<div title="&#100;&#97;&#116;&#97;&#58;&#116;&#101;&#120;&#116;&#47;&#104;&#116;&#109;&#108;&#44;&#60;&#105;&#109;&#103;&#32;&#115;&#114;&#99;&#61;&#49;&#32;&#111;&#110;&#101;&#114;&#114;&#111;&#114;&#61;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;&#62;" style="-o-link:attr(title);-o-link-source:current">Click Me</div>

I can't see any good reason to allow -o-link in the style, since most browsers ignore it.


Version: unspecified
Severity: normal

Details

Reference
bz58472

Related Objects

StatusAssignedTask
ResolvedNone

Event Timeline

bzimport raised the priority of this task from to High.
bzimport set Reference to bz58472.
bzimport added a subscriber: Unknown Object (MLST).
csteipp created this task.Dec 13 2013, 10:46 PM

Created attachment 14095
Disallow -o-link in styles

attachment bug58472.patch ignored as obsolete

So you have verified this in a recent version of Opera? The link extensions have been removed from the Opera documentation, but you can find them in IA:

https://web.archive.org/web/20030602071146/http://www.opera.com/docs/specs/#xml-css-link

opera.com still hosts documentation for Opera 7, which was the current version at the time of that archive, but it seems they later decided to edit out all mention of that feature.

Maybe if -o-link still exists, then -o-replace may also still exist? It should probably be blacklisted also.

I verified it with 12.15, it looks like 12.16 is the most current.

-o-replace gives me an unknown property error, but probably best to blacklist it too, just in case.

Created attachment 14109
Disallow -o-link in styles

Forbid -o-replace too

Attached:

Well, Opera 12.16 is the most current, ... of the Presto branch (which is no longer advertised).

Since early 2013, Opera has been reimplemented using Chromium (Blink, V8, etc.). First beta (Opera 15, version 13/14 were skipped) in May 2013, and gone stable since. They're up to Opera 18 already, and do have auto-updating.

However Opera 12 does not auto-update to Opera >= 15, so Opera 12 continues to have a fair browser share for now (seems good to support, especially when relatively inexpensive and in the interest of security).

This has been assigned CVE-2013-6454

Created attachment 14264
Disallow -o-link in styles (1.19 branch)

Attached:

Created attachment 14265
Disallow -o-link in styles (1.21 branch)

Attached:

Created attachment 14266
Disallow -o-link in styles (1.22 branch)

Attached: