Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 231830 (CVE-2008-3172)

Summary: www-client/opera "Cross-Site Cooking" Session Hijacking (CVE-2008-3172)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED OBSOLETE    
Severity: minor CC: email, jer
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-07-15 02:46:26 UTC 
CVE-2008-3172 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3172):
  Opera allows web sites to set cookies for country-specific top-level domains
  that have DNS A records, such as co.tv, which could allow remote attackers to
  perform a session fixation attack and hijack a user's HTTP session, aka
  "Cross-Site Cooking."
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2008-07-15 04:29:19 UTC 
I feel a 9.52 coming soonish. :)
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2008-08-20 14:47:07 UTC 
The URL's Security doesn't appear to cover this one, but feel free to check it. One issue has not been disclosed yet. If none of these are relevant to this bug report, then we shall have to open a new bug report to cover those, I guess.

* Sites can no longer change framed content on other sites: see our advisory[1]
* Fixed an issue that could allow cross-site scripting, as reported by Chris Weber of Casaba Security: details will be disclosed at a later date
* Custom shortcuts no longer pass the wrong parameters to applications, as reported by Michael A. Puls II: see our advisory[2]
* Prevented insecure pages from showing incorrect security information, as reported by Lars Kleinschmidt: see our advisory[3]
* Feed links can no longer link to local files: see our advisory[4]
* Feed subscription can no longer cause the wrong page address to be displayed: see our advisory[5]

[1] http://www.opera.com/support/search/view/893/
[2] http://www.opera.com/support/search/view/894/
[3] http://www.opera.com/support/search/view/895/
[4] http://www.opera.com/support/search/view/896/
[5] http://www.opera.com/support/search/view/897/
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2008-08-20 15:14:37 UTC 
The Opera 9.52 changelog [1] doesn't appear to cover this particular vulnerability. Moreover, I haven't seen a test case for it, and the information appears to be second hand - Mozilla developers appear to be talking about how Opera solved the top-level domain issue and that they aren't satisfied with that approach. I don't see any disclosure of how Opera handles that now.


[1] http://www.opera.com/docs/changelogs/linux/952/
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 18:03:16 UTC 
This seems to still be unfixed in Opera. Not sure how to proceed.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-02-26 14:33:16 UTC 
Still no confirmation it has been fixed but here are additional links regarding the matter:

https://bugzilla.mozilla.org/show_bug.cgi?id=385299

https://bugzilla.mozilla.org/show_bug.cgi?id=252342
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2017-10-19 00:52:24 UTC 
RESOLVED FIXED in mozilla1.9beta2 from upstream.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2017-10-19 08:27:01 UTC 
(In reply to Aaron Bauman from comment #6)
> RESOLVED FIXED in mozilla1.9beta2 from upstream.

Mozilla fixed Opera?