Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 231830 (CVE-2008-3172) - www-client/opera "Cross-Site Cooking" Session Hijacking (CVE-2008-3172)
Summary: www-client/opera "Cross-Site Cooking" Session Hijacking (CVE-2008-3172)
Status: RESOLVED OBSOLETE
Alias: CVE-2008-3172
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-07-15 02:46 UTC by Robert Buchholz (RETIRED)
Modified: 2017-10-19 08:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-07-15 02:46:26 UTC
CVE-2008-3172 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3172):
  Opera allows web sites to set cookies for country-specific top-level domains
  that have DNS A records, such as co.tv, which could allow remote attackers to
  perform a session fixation attack and hijack a user's HTTP session, aka
  "Cross-Site Cooking."
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2008-07-15 04:29:19 UTC
I feel a 9.52 coming soonish. :)
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2008-08-20 14:47:07 UTC
The URL's Security doesn't appear to cover this one, but feel free to check it. One issue has not been disclosed yet. If none of these are relevant to this bug report, then we shall have to open a new bug report to cover those, I guess.

* Sites can no longer change framed content on other sites: see our advisory[1]
* Fixed an issue that could allow cross-site scripting, as reported by Chris Weber of Casaba Security: details will be disclosed at a later date
* Custom shortcuts no longer pass the wrong parameters to applications, as reported by Michael A. Puls II: see our advisory[2]
* Prevented insecure pages from showing incorrect security information, as reported by Lars Kleinschmidt: see our advisory[3]
* Feed links can no longer link to local files: see our advisory[4]
* Feed subscription can no longer cause the wrong page address to be displayed: see our advisory[5]

[1] http://www.opera.com/support/search/view/893/
[2] http://www.opera.com/support/search/view/894/
[3] http://www.opera.com/support/search/view/895/
[4] http://www.opera.com/support/search/view/896/
[5] http://www.opera.com/support/search/view/897/
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2008-08-20 15:14:37 UTC
The Opera 9.52 changelog [1] doesn't appear to cover this particular vulnerability. Moreover, I haven't seen a test case for it, and the information appears to be second hand - Mozilla developers appear to be talking about how Opera solved the top-level domain issue and that they aren't satisfied with that approach. I don't see any disclosure of how Opera handles that now.


[1] http://www.opera.com/docs/changelogs/linux/952/
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 18:03:16 UTC
This seems to still be unfixed in Opera. Not sure how to proceed.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-02-26 14:33:16 UTC
Still no confirmation it has been fixed but here are additional links regarding the matter:

https://bugzilla.mozilla.org/show_bug.cgi?id=385299

https://bugzilla.mozilla.org/show_bug.cgi?id=252342
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2017-10-19 00:52:24 UTC
RESOLVED FIXED in mozilla1.9beta2 from upstream.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2017-10-19 08:27:01 UTC
(In reply to Aaron Bauman from comment #6)
> RESOLVED FIXED in mozilla1.9beta2 from upstream.

Mozilla fixed Opera?