Opera 7.20 beta 1 vulnerability

A vulnerability has been discovered in M2, the mail client in Opera 7.20, beta 1.

h3. Impact of vulnerability
h3. Versions affected
Opera 7.20 Beta 1, build 2981 only. All other Opera versions are safe.
h3. Description
Opera’s mail client, M2, has an option to suppress viewing of external embeds, turned on by default, that protects M2 users from having their e-mail tracked. This mechanism can be circumvented through the use of CSS.
h3. Discussion
External embeds are typically used by senders of unsolicited commercial email, spam, to act as “read receipts” and are typically 0x0 invisible images stored on a server.
The typical way a spammer can use such an image, from here on refered to as a mail bug, is by sending an HTML formatted mail, containing a link to an image stored on a mail server. Example:
The {unique_tracker_id} is a code unique to each mail sent out, and will give the spammer a confirmation that the mail sent out to a particular user was both received and opened.
h3. Details
In Opera 7.20, when a mail is viewed in the mail client, an XML document is created, containing the mail headers and a mail body. Opera then uses CSS to apply style to this document.

<omf:mime xmlns:omf="http://www.opera.com/2003/omf"
<html:link rel="stylesheet" href="file://localhost/C:\Program
Files\Opera7\Styles\mime.css" type="text/css"/>
<showheaders href="attachment:/135/headers.html">Display all
<hdr name="To"><n>To</n><v>john.doe@example.com</v></hdr>
<body id='omf_body_start'>
<div class='document'>
<rfc822 id='1058899906'>
{ mail content goes here }
</omf:rfc822 id='1058899906'>

When mail is displayed it uses a stylesheet found in the file mime.css in the Styles subdirectory of the Opera installation folder. The mail headers and bodies are styled using namespace declarations in the mail:
bc.. @namespace omf url(http://www.opera.com/2003/omf);
@namespace html url(http://www.w3.org/TR/REC-html40);
omf|headers {
/* style definitions */
p. By sending a mail using Content-type: text/html, and embedding a mail with styles similar to the ones found in the Opera stylesheet, a malicious user could insert an image that is displayed in the header area of the mail. An example of such a mail could be:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<style type="text/css">
omf|headers {
background-image: url(http://www.example.com/t.png)
{ Normal mail body here }

Opera 7.20 beta 1 will now display the image referenced to in the style sheet, http://www.example.com/t.png, in the header area of the mail.
h3. Solution
Either downgrade to Opera 7.11, or upgrade to Opera 7.20, beta 2, build 3014, as they are not affected by the problem.
h3. Other
Opera software was notified of the problem on 2003-07-04 and acknowledged the problem the same day, but requested some time to create a fix. Opera Software released Opera 7.20 beta 2, which fixed the problem, on 2003-07-22.

Previous Post
Next Post
Comments are closed.