FreshPorts - VuXML

Opera reports:

When requesting pages using HTTP, Opera temporarily stores the response in a buffer. In some cases, Opera may incorrectly allocate too little space for a buffer, and may then store too much of the response in that buffer. This causes a buffer overflow, which in turn can lead to a memory corruption and crash. It is possible to use this crash to execute the overflowing data as code, which may be controlled by an attacking site.

< 12.11

< 12.11

< 12.11

< 12.11

Opera Software ASA reports of multiple security fixes in Opera, including an arbitrary code execute vulnerability:

Opera for Linux, FreeBSD, and Solaris has a flaw in the createPattern function that leaves old data that was in the memory before Opera allocated it in the new pattern. The pattern can be read and analyzed by JavaScript, so an attacker can get random samples of the user's memory, which may contain data.

Removing a specially crafted torrent from the download manager can crash Opera. The crash is caused by an erroneous memory access.

An attacker needs to entice the user to accept the malicious BitTorrent download, and later remove it from Opera's download manager. To inject code, additional means will have to be employed.

Users clicking a BitTorrent link and rejecting the download are not affected.

data: URLs embed data inside them, instead of linking to an external resource. Opera can mistakenly display the end of a data URL instead of the beginning. This allows an attacker to spoof the URL of a trusted site.

Opera's HTTP authentication dialog is displayed when the user enters a Web page that requires a login name and a password. To inform the user which server it was that asked for login credentials, the dialog displays the server name.

The user has to see the entire server name. A truncated name can be misleading. Opera's authentication dialog cuts off the long server names at the right hand side, adding an ellipsis (...) to indicate that it has been cut off.

The dialog has a predictable size, allowing an attacker to create a server name which will look almost like a trusted site, because the real domain name has been cut off. The three dots at the end will not be obvious to all users.

This flaw can be exploited by phishers who can set up custom sub-domains, for example by hosting their own public DNS.

< 9.22

Marc Schoenefeld reports:

Opera 7.54 is vulnerable to leakage of the java sandbox, allowing malicious applets to gain unacceptable privileges. This allows them to be used for information gathering (spying) of local identity information and system configurations as well as causing annoying crash effects.

Opera 754 [sic] which was released Aug 5,2004 is vulnerable to the XSLT processor covert channel attack, which was corrected with JRE 1.4.2_05 [released in July 04], but in disadvantage to the users the opera packaging guys chose to bundle the JRE 1.4.2_04 [...]

Internal pointer DoS exploitation: Opera.jar contains the opera replacement of the java plugin. It therefore handles communication between javascript and the Java VM via the liveconnect protocol. The public class EcmaScriptObject exposes a system memory pointer to the java address space, by constructing a special variant of this type an internal cache table can be polluted by false entries that infer proper function of the JSObject class and in the following proof-of-concept crash the browser.

Exposure of location of local java installation Sniffing the URL classpath allows to retrieve the URLs of the bootstrap class path and therefore the JDK installation directory.

Exposure of local user name to an untrusted applet An attacker could use the sun.security.krb5.Credentials class to retrieve the name of the currently logged in user and parse his home directory from the information which is provided by the thrown java.security.AccessControlException.

< 7.54.20041210

Opera reports:

A specially crafted digital certificate can bypass Opera's certificate signature verification. Forged certificates can contain any false information the forger chooses, and Opera will still present it as valid. Opera will not present any warning dialogs in this case, and the security status will be the highest possible (3). This defeats the protection against "man in the middle", the attacks that SSL was designed to prevent.

There is a flaw in OpenSSL's RSA signature verification that affects digital certificates using 3 as the public exponent. Some of the certificate issuers that are on Opera's list of trusted signers have root certificates with 3 as the public exponent. The forged certificate can appear to be signed by one of these.

< 9.02

A Secunia Advisory reports:

Michael Holzt has discovered a vulnerability in Opera, which can be exploited by malicious people to trick users into executing malicious files.

The vulnerability is caused due to an error in the processing of "data:" URIs, causing wrong information to be shown in a download dialog. This can be exploited by e.g. a malicious website to trick users into executing a malicious file by supplying a specially crafted "data:" URI.

< 7.54.20050131

Opera reports:

Opera 11.01 is a recommended upgrade offering security and stability enhancements.

The following security vulnerabilities have been fixed:

• Removed support for "javascript:" URLs in CSS -o-link values, to make it easier for sites to filter untrusted CSS.
• Fixed an issue where large form inputs could allow execution of arbitrary code, as reported by Jordi Chancel; see our advisory.
• Fixed an issue which made it possible to carry out clickjacking attacks against internal opera: URLs; see our advisory.
• Fixed issues which allowed web pages to gain limited access to files on the user's computer; see our advisory.
• Fixed an issue where email passwords were not immediately deleted when deleting private data; see our advisory.

< 11.01

Opera Software ASA reports about multiple security fixes:

• Fixed an issue where simulated text inputs could trick users into uploading arbitrary files, as reported by Mozilla.
• Image properties can no longer be used to execute scripts, as reported by Max Leonov.
• Fixed an issue where the representation of DOM attribute values could allow cross site scripting, as reported by Arnaud.lb.

< 9.26

Opera Software ASA reports about multiple security fixes:

• Fixed an issue where plug-ins could be used to allow cross domain scripting, as reported by David Bloom. Details will be disclosed at a later date.
• Fixed an issue with TLS certificates that could be used to execute arbitrary code, as reported by Alexander Klink (Cynops GmbH). Details will be disclosed at a later date.
• Rich text editing can no longer be used to allow cross domain scripting, as reported by David Bloom. See our advisory.
• Prevented bitmaps from revealing random data from memory, as reported by Gynvael Coldwind. Details will be disclosed at a later date.

< 9.25

Opera reports:

CORS (Cross-Origin Resource Sharing) allows web pages to retrieve the contents of pages from other sites, with their permission, as they would appear for the current user. When requests are made in this way, the browser should only allow the page content to be retrieved if the target site sends the correct headers that give permission for their contents to be used in this way. Specially crafted requests may trick Opera into thinking that the target site has given permission when it had not done so. This can result in the contents of any target page being revealed to untrusted sites, including any sensitive information or session IDs contained within the source of those pages.

Also reported are vulnerabilities involving SVG graphics and XSS.

< 12.10

< 12.10

< 12.10

< 12.10

A Secunia Advisory reports:

Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to conduct cross-site scripting attacks and to read local files.

The vulnerability is caused due to Opera not properly restricting the privileges of "javascript:" URLs when opened in e.g. new windows or frames.

< 8.01

An advisory from Opera reports:

If a user has configured Opera to use an external newsgroup client or e-mail application, specially crafted Web pages can cause Opera to run that application incorrectly. In some cases this can lead to execution of arbitrary code.

When accesing frames from different Web sites, specially crafted scripts can bypass the same-origin policy, and overwrite functions from those frames. If scripts on the page then run those functions, this can cause the script of the attacker's choice to run in the context of the target Web site.

< 9.24

Opera Team Reports:

• Issue where sites using revoked intermediate certificates might be shown as secure
• Issue where the collapsed address bar didn't show the current domain
• Issue where pages could trick users into uploading files
• Some IDNA characters not correctly displaying in the address bar
• Issue where Opera accepts nulls and invalid wild-cards in certificates

< 10.00.20090830

le 10.00.b3_1,1

< 10.00

iDefense Labs reports:

Remote exploitation of a heap overflow vulnerability within version 9 of Opera Software's Opera Web browser could allow an attacker to execute arbitrary code on the affected host.

A flaw exists within Opera when parsing a tag that contains a URL. A heap buffer with a constant size of 256 bytes is allocated to store the URL, and the tag's URL is copied into this buffer without sufficient bounds checking of its length.

gt 9.* lt 9.02

The Opera Desktop Team reports:

Data URIs are allowed to run scripts that manipulate pages from the site that directly opened them. In some cases, the opening site is not correctly detected. In these cases, Data URIs may erroneously be able to run scripts so that they interact with sites that did not directly cause them to be opened.

< 10.11

le 10.20_2,1

iDefense reports:

The vulnerability specifically exists due to Opera improperly processing a JPEG DHT marker. The DHT marker is used to define a Huffman Table which is used for decoding the image data. An invalid number of index bytes in the DHT marker will trigger a heap overflow with partially user controlled data.

Exploitation of this vulnerability would allow an attacker to execute arbitrary code on the affected host. The attacker would first need to construct a website containing the malicious image and trick the vulnerable user into visiting the site. This would trigger the vulnerability and allow the code to execute with the privileges of the local user.

A flaw exists within Opera's Javascript SVG implementation. When processing a createSVGTransformFromMatrix request Opera does not properly validate the type of object passed to the function. Passing an incorrect object to this function can result in it using a pointer that is user controlled when it attempts to make the virtual function call.

Exploitation of this vulnerability would allow an attacker to execute arbitrary code on the affected host. The attacker would first need to construct a website containing the malicious JavaScript and trick the vulnerable user into visiting the site. This would trigger the vulnerability and allow the code to execute with the privileges of the local user.

< 9.10

A Secunia Advisory reports:

Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to steal content or to perform actions on other web sites with the privileges of the user.

Normally, it should not be possible for the XMLHttpRequest object to access resources from outside the domain of which the object was opened. However, due to insufficient validation of server side redirects, it is possible to circumvent this restriction.

gt 8.* lt 8.01

Opera reports:

When loading GIF images into memory, Opera should allocate the correct amount of memory to store that image. Specially crafted image files can cause Opera to allocate the wrong amount of memory. Subsequent data may then overwrite unrelated memory with attacker-controlled data. This can lead to a crash, which may also execute that data as code.

< 12.12

< 12.12

< 12.12

< 12.12

A Secunia Advisory reports:

Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to conduct cross-site scripting attacks and retrieve a user's files.

The vulnerability is caused due to Opera allowing a user to drag e.g. an image, which is actually a "javascript:" URI, resulting in cross-site scripting if dropped over another site. This may also be used to populate a file upload form, resulting in uploading of arbitrary files to a malicious web site.

Successful exploitation requires that the user is tricked into dragging and dropping e.g. an image or a link.

< 8.02

A Secunia Advisory reports:

Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to conduct cross-site scripting attacks against users.

The vulnerability is caused due to input not being sanitised, when Opera generates a temporary page for displaying a redirection when "Automatic redirection" is disabled (not default setting).

gt 8.* lt 8.01

A Secunia Advisory reports:

Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to trick users into executing malicious files.

The vulnerability is caused due to an error in the handling of extended ASCII codes in the download dialog. This can be exploited to spoof the file extension in the file download dialog via a specially crafted "Content-Disposition" HTTP header.

Successful exploitation may result in users being tricked into executing a malicious file via the download dialog, but requires that the "Arial Unicode MS" font (ARIALUNI.TTF) has been installed on the system.

< 8.02

Opera software reports:

• Fixed a moderately severe issue; details will be disclosed at a later date
• Fixed an issue that could allow pages to set cookies or communicate cross-site for some top level domains; see our advisory
• Improved handling of certificate revocation corner cases
• Added a fix for a weakness in the SSL v3.0 and TLS 1.0 specifications, as reported by Thai Duong and Juliano Rizzo; see our advisory
• Fixed an issue where the JavaScript "in" operator allowed leakage of cross-domain information, as reported by David Bloom; see our advisory

< 11.60

< 11.60,1

A Secunia Research advisory reports:

Secunia Research has reported a vulnerability in multiple browsers, which can be exploited by malicious people to spoof the content of websites.

The problem is that a website can inject content into another site's window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website.

Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/multiple_browsers_window_injection_vulnerability_test/

A workaround for Mozilla-based browsers is available.

< 1.0.1,1

< 1.7.6,2

< 1.7.6

ge 0

ge 0

< 3.3.2

< 7.54.20050131

Opera reports:

Fixed a moderately severe issue, as reported by Attila Suszte.

< 12.15

< 12.15

< 12.15

< 12.15

Opera reports:

It is possible to make a form input that looks like an image link. If the form input has a "title" attribute, the status bar will show the "title". A "title" which looks like a URL can mislead the user, since the title can say http://nice.familiar.com/, while the form action can be something else.

Opera's tooltip says "Title:" before the title text, making a spoof URL less convincing. A user who has enabled the status bar and disabled tooltips can be affected by this. Neither of these settings are Opera's defaults.

This exploit is mostly of interest to users who disable JavaScript. If JavaScript is enabled, any link target or form action can be overridden by the script. The tooltip and the statusbar can only be trusted to show the true location if JavaScript is disabled.

Java code using LiveConnect methods to remove a property of a JavaScript object may in some cases use null pointers that can make Opera crash. This crash is not exploitable and such code is rare on the web.

< 8.51

Giovanni Delvecchio reports:

Opera for linux uses "kfmclient exec" as "Default Application" to handle saved files. This could be used by malicious remote users to execute arbitrary shell commands on a target system.

< 7.54.20050131

An advisory from Opera reports:

A specially crafted JavaScript can make Opera execute arbitrary code.

< 9.23.20070809

An Opera Advisory reports:

Opera for UNIX uses a wrapper shell script to start up Opera. This shell script reads the input arguments, like the file names or URLs that Opera is to open. It also performs some environment checks, for example whether Java is available and if so, where it is located.

This wrapper script can also run commands embedded in the URL, so that a specially crafted URL can make arbitrary commands run on the recipient's machine. Users who have other programs set up to use Opera to open Web links are vulnerable to this flaw. For these users, clicking a Web link in for example OpenOffice.org or Evolution can run a command that was put into the link.

< 8.51

Opera Software ASA reports:

Fixed an issue with framesets that could allow execution of arbitrary code, as reported by an anonymous contributor working with the SecuriTeam Secure Disclosure program.

< 11.11

< 11.11

< 11.11

Opera reports:

Particular DOM event manipulations can cause Opera to crash. In some cases, this crash might occur in a way that allows execution of arbitrary code. To inject code, additional techniques would have to be employed.

< 12.13