TITLE: Opera Download Dialog Spoofing Vulnerability SECUNIA ADVISORY ID: SA12981 VERIFY ADVISORY: http://secunia.com/advisories/12981/ CRITICAL: Moderately critical IMPACT: Spoofing WHERE: >From remote SOFTWARE: Opera 7.x http://secunia.com/product/761/ DESCRIPTION: Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to trick users into executing malicious files. The vulnerability is caused due to the filename and the "Content-Type" header not being sufficiently validated before being displayed in the file download dialog. This can be exploited to spoof file types in the download dialog by passing specially crafted "Content-Disposition" and "Content-Type" headers containing dots and ASCII character code 160. Successful exploitation may result in users being tricked into executing a malicious file via the download dialog. The vulnerability has been confirmed on Opera 7.54 for Windows. Other versions may also be affected. SOLUTION: Update to version 7.54u1. http://www.opera.com/download/ PROVIDED AND/OR DISCOVERED BY: Andreas Sandblad, Secunia Research. ORIGINAL ADVISORY: http://secunia.com/secunia_research/2004-19/advisory/ OTHER REFERENCES: Vendor advisory: http://www.opera.com/support/search/supsearch.dml?index=782
http://www.opera.com/support/search/supsearch.dml?index=782 Advisory: Opera security advisory 2004-12-10 Platform: All platforms Opera security advisory * Named frames or windows can be hi-jacked by malicious frames or windows. * Periods in the file name and non-breaking spaces in the Content-Type header can make the save/open dialog misleading. A user may be convinced that an executable file is something else, for example a PDF document. * Applets have access to sun.* packages * Liveconnect: com.opera.EcmascriptObject constructor is accessible to Java * Liveconnect reveals the path to the user's home directory. This can make other vulnerabilities easier to exploit. Severity: Moderate/high Vulnerable versions of Opera * 7.54 and earlier Opera's response Security update 7.54u1. 7.54u1 has several security fixes. (Note: Please use the download link on the right hand side of the page.) * Tightened origin check for frames. A side effect of this is that documents not passing the origin check will open in a new page. * Fixed issue reported by Marc Sch
http://www.opera.com/support/search/supsearch.dml?index=782 Advisory: Opera security advisory 2004-12-10 Platform: All platforms Opera security advisory * Named frames or windows can be hi-jacked by malicious frames or windows. * Periods in the file name and non-breaking spaces in the Content-Type header can make the save/open dialog misleading. A user may be convinced that an executable file is something else, for example a PDF document. * Applets have access to sun.* packages * Liveconnect: com.opera.EcmascriptObject constructor is accessible to Java * Liveconnect reveals the path to the user's home directory. This can make other vulnerabilities easier to exploit. Severity: Moderate/high Vulnerable versions of Opera * 7.54 and earlier Opera's response Security update 7.54u1. 7.54u1 has several security fixes. (Note: Please use the download link on the right hand side of the page.) * Tightened origin check for frames. A side effect of this is that documents not passing the origin check will open in a new page. * Fixed issue reported by Marc Schönefeld: intrusive JavaScript or Java applet could exploit Sun Java vulnerability to retrieve logged-in user's username and install directory. * Fixed LiveConnect class access security issue reported by Jouko Pynnonen. * Fixed Secunia issue SA12981, reported by Andreas Sandblad: periods in the file name and non-breaking spaces in content-type header type could obscure the file type. * Fixed Secunia issue SA13253: "hi-jacking" a named browser window. * Improved support for the "must-revalidate" cache directive. Credits * Secunia Research * Andreas Sandblad, Secunia Research * Mark Schönefeld * Jouko Pynnonen ___ lanius: pls update to the fixed version
added opera-7.54-r1
Thx Heinrich. Arches please mark stable. This also fixes bug #71818 (Java issues).
_ _ _ ___| |_ __ _| |__ | | ___ ___ _ __ ___ _ __ __ _ _ __ ___ / __| __/ _` | '_ \| |/ _ \ / _ \| '_ \ / __| '_ \ / _` | '__/ __| \__ \ || (_| | |_) | | __/ | (_) | | | | \__ \ |_) | (_| | | | (__ |___/\__\__,_|_.__/|_|\___| \___/|_| |_| |___/ .__/ \__,_|_| \___| |_|
amd64 done
Thx Simon. This one is ready for GLSA, Security please vote.
I vote yes. Also this seems to fix the Java sandbox problems which are quite critical (bug 71818).
Correct. We'll have a GLSA on this one.
Note that according to http://secunia.com/advisories/13253/ Opera just partly fixed the windows injection vulnerability.
*** Bug 71818 has been marked as a duplicate of this bug. ***
Hmmkay... I'm no longer sure this is worth a GLSA (for the moment). What we have fixed here is mostly download scams and info leaks: * Named frames or windows can be hi-jacked by malicious frames or windows. Opera now tightens origin check for frames. [This is http://secunia.com/advisories/13253/ which Secunia says is just partly fixed. This one could be worth a GLSA, but it's not really fixed, so...] * Periods in the file name and non-breaking spaces in the Content-Type header can make the save/open dialog misleading. A user may be convinced that an executable file is something else, for example a PDF document. [This is http://secunia.com/advisories/12981/ . Not sure it's worth a GLSA] * Applets have access to sun.* packages : intrusive JavaScript or Java applet could exploit Sun Java vulnerability to retrieve logged-in user's username and install directory [This is the one that convinced me to issue a GLSA. In fact it's just a small infoleak, not a sandbox bypass, so it's probably not worth a GLSA] * Liveconnect: com.opera.EcmascriptObject constructor is accessible to Java and LiveConnect reveals the path to the user's home directory. [small infoleak] * Improved support for the "must-revalidate" cache directive. [yeah right] We still have two vulnerabilities current, the kfmclient exec Opera/KDE thing (which is rather grave for KDE users) and a complete fix to Secunia's window injection thing. So we have two choices, issuing a "Low" GLSA with what is fixed in 7.54u1 or wait for other fixes to come in.
Sie sind verwundbar: class sun.text.Utility Version 7.54 u1 I vote for hold on this one.
We should hold this one and wait for new fixes I guess.
On hold waiting for more fixes
754u2 is released and in portage
GLSA 200502-17
