Impact of vulnerability: ------------------------ Minor.
Versions affected: ------------------ Opera 7.20 Beta 1, build 2981 only. All other Opera versions are safe.
Description:
------------
Operaâs mail client, M2, has an option to suppress viewing of external embeds, turned on by default, that protects M2 users from having their e- mail tracked. This mechanism can be circumvented through the use of CSS.
Discussion:
-----------
External embeds are typically used by senders of unsolicited commercial email, spam, to act as âread receiptsâ and are typically 0Ã0 invisible images stored on a server.
The typical way a spammer can use such an image, from here on refered to as a mail bug, is by sending an HTML formatted mail, containing a link to an image stored on a mail server. Example:
<img src="http://exploit.example.com/img.gif?tracker=unique_tracker_id"; width="0" height="0" />
The {unique_tracker_id} is a code unique to each mail sent out, and will give the spammer a confirmation that the mail sent out to a particular user was both received and opened.
Details:
--------
In Opera 7.20, when a mail is viewed in the mail client, an XML document is created, containing the mail headers and a mail body. Opera then uses CSS to apply style to this document.
<omf:mime xmlns:omf="http://www.opera.com/2003/omf"; xmlns:html="http://www.w3.org/TR/REC-html40";>
<html:link rel="stylesheet" href="file://localhost/C:\Program Files\Opera7\Styles\mime.css" type="text/css"/>
<showheaders href="attachment:/135/headers.html">Display all headers</showheaders>
<headers><hgrp>
<hdr name="To"><n>To</n><v>john.doe@example.com</v></hdr> </hgrp></headers>
<body id='omf_body_start'>
<div class='document'>
<rfc822 id='1058899906'>
<html:body>
{ mail content goes here }
</html:body>
</omf:rfc822 id='1058899906'>
</div>
</body>
</omf:mime>
When mail is displayed it uses a stylesheet found in the file mime.css in the Styles subdirectory of the Opera installation folder. The mail headers and bodies are styled using namespace declarations in the mail:
@namespace omf url(http://www.opera.com/2003/omf); @namespace html url(http://www.w3.org/TR/REC-html40); omf|headers { /* style definitions */ }
By sending a mail using Content-type: text/html, and embedding a mail with styles similar to the ones found in the Opera stylesheet, a malicious user could insert an image that is displayed in the header area of the mail. An example of such a mail could be:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<style type="text/css">
omf|headers { background-image: url(http://www.example.com/t.png) }
</style>
</head>
<body>
{ Normal mail body here }
</body>
</html>
Opera 7.20 beta 1 will now display the image referenced to in the style sheet, http://www.example.com/t.png, in the header area of the mail.
Solution:
---------
Either downgrade to Opera 7.11, or upgrade to Opera 7.20, beta 2, build 3014, as they are not affected by the problem.
Other:
------
Opera software was notified of the problem on 2003-07-04 and acknowledged the problem the same day, but requested some time to create a fix. Opera Software released Opera 7.20 beta 2, which fixed the problem, on 2003-07- 22.
A HTML version of this alert can be found at <URL:http://www.virtuelvis.com/archives/111.html>
-- Arve Bersvendsen
http://www.virtuelvis.com http://www.bersvendsen.com
![http://exploit.example.com/img.gif?tracker=unique_tracker_id"](http://exploit.example.com/img.gif?tracker=unique_tracker_id"){kind=link}
