Character Encoding Inheritance in iframes Can Enable Cross-Site Scripting – Opera Security Advisories




Problem description

Pages displayed inside an iframe will inherit the character encodingof the parent page, unless they specify their own character encoding.

A malicious page that uses the UTF-7 character encoding can includeother sites, for example inside iframes. This can be exploited toperform cross-site scripting on certain sites, allowing the attackerto get access to the user’s session data for those sites.

To exploit this vulnerability, the attacker must get the user toaccess a specially crafted Web page.


Opera’s Response

Opera has released Opera 9.20, which restricts character encodinginheritance so that it is only applied to content from the same siteas the parent document.


Thanks to Stefan Esser for making Opera Software aware ofthis vulnerability.