Bug 106688

Summary:	www-client/opera<=8.02: Attachment Spoofing and Script Insertion
Product:	Gentoo Security	Reporter:	Carsten Lohrke (RETIRED) <carlo>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal	CC:	lanius
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Carsten Lohrke (RETIRED) gentoo-dev

2005-09-20 08:36:58 UTC

Secunia Research has discovered two vulnerabilities in the Opera Mail client,
which can be exploited by a malicious person to conduct script insertion attacks
and to spoof the name of attached files.

1. Attached files are opened without any warnings directly from the user's cache
directory. This can be exploited to execute arbitrary JavaScript in context of
"file://".

2. Normally, filename extensions are determined by the "Content-Type" in Opera
Mail. However, by appending an additional '.' to the end of a filename, an HTML
file could be spoofed to be e.g. "image.jpg.".

The two vulnerabilities combined may be exploited to conduct script insertion
attacks if the user chooses to view an attachment named e.g. "image.jpg." e.g.
resulting in disclosure of local files.

The vulnerabilities have been confirmed in Opera version 8.02, prior versions
may also be vulnerable.

http://secunia.com/advisories/16645/


Update to version 8.50 available.

Comment 1 Tavis Ormandy (RETIRED) gentoo-dev

2005-09-20 09:07:13 UTC

Suggest marking INVALID.

1. So, don't open untrusted attachments.
2. File extensions are meaningless.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-09-20 23:32:42 UTC

Unless the attached files are opened without user interaction I agree with 
Tavis.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-09-21 05:38:02 UTC

I tend to agree with both of you. Only Windows users suppose extensions
determine what the file contains. Please reopen with detailed explanation if you
disagree.