Bug 117980 (CVE-2005-3007)

Summary: VUL-0: CVE-2005-3007: opera script insertion attack
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Lukas Tinkl <ltinkl>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-3007: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2005-09-20 11:59:58 UTC 
From: Secunia Research <vuln@secunia.com> 
To: full-disclosure@lists.grok.org.uk 
Date: Tue, 20 Sep 2005 11:06:05 +0200 
Cc: bugtraq@securityfocus.com 
Subject: [Full-disclosure] Secunia Research: Opera Mail Client Attachment 
        Spoofing and Script Insertion 
Reply-To: vuln@secunia.com 
Errors-To: full-disclosure-bounces@lists.grok.org.uk 
 
====================================================================== 
 
                     Secunia Research 20/09/2005 
 
   - Opera Mail Client Attachment Spoofing and Script Insertion - 
 
====================================================================== 
Table of Contents 
 
Affected Software....................................................1 
Severity.............................................................2 
Description of Vulnerability.........................................3 
Solution.............................................................4 
Time Table...........................................................5 
Credits..............................................................6 
References...........................................................7 
About Secunia........................................................8 
Verification.........................................................9 
 
====================================================================== 
1) Affected Software 
 
Opera 8.02 
 
Prior versions may also be affected. 
 
====================================================================== 
2) Severity 
 
Rating: Moderately Critical 
Impact: Script Insertion, Spoofing 
Where:  From Remote 
 
====================================================================== 
3) Description of Vulnerability 
 
Secunia Research has discovered two vulnerabilities in the Opera Mail 
client, which can be exploited by a malicious person to conduct script 
insertion attacks and to spoof the name of attached files. 
 
1. Attached files are opened without any warnings directly from the 
user's cache directory. This can be exploited to execute arbitrary 
JavaScript in context of "file://". 
 
2. Normally, filename extensions are determined by the "Content-Type"  
in Opera Mail. However, by appending an additional '.' to the end of 
a filename, an HTML file could be spoofed to be e.g. "image.jpg.". 
 
The two vulnerabilities combined may be exploited to conduct script 
insertion attacks if the user chooses to view an attachment named 
e.g. "image.jpg." e.g. resulting in disclosure of local files. 
 
====================================================================== 
4) Solution 
 
Update to version 8.50. 
http://www.opera.com/download/ 
 
====================================================================== 
5) Time Table 
 
01/09/2005 - Initial vendor notification. 
20/09/2005 - Public disclosure. 
 
====================================================================== 
6) Credits 
 
Discovered by Jakob Balle, Secunia Research. 
 
====================================================================== 
7) References 
 
No references available. 
 
======================================================================
Comment 1 Lukas Tinkl 2005-09-21 13:50:58 UTC 
Fixed package submitted to stable; if I should backport, down to which 
version?
Comment 2 Marcus Meissner 2005-09-21 13:59:16 UTC 
down to 9.0 if possible. 
 
swampid: 2364
Comment 3 Marcus Meissner 2005-09-22 12:40:07 UTC 
is 10.0 itself affected?
Comment 4 Lukas Tinkl 2005-09-22 13:26:29 UTC 
10.0 probably as well, what's the procedure there? I backported the fixes now 
down to 9.0
Comment 5 Marcus Meissner 2005-09-22 13:31:07 UTC 
just sbumit a fixed package to done/10.0/
Comment 6 Michael Schröder 2005-09-23 16:44:39 UTC 
Shouldn't the specfile read "Version: 8.50"?
Comment 7 Lukas Tinkl 2005-09-24 10:53:57 UTC 
I messed up :( The specfile should indeed be 8.50, I'll fix
Comment 8 Lukas Tinkl 2005-09-26 10:03:17 UTC 
Fixed
Comment 9 Marcus Meissner 2005-09-26 14:02:28 UTC 
  CAN-2005-3006 
CAN-2005-3007
Comment 10 Marcus Meissner 2005-09-26 15:16:14 UTC 
advisory and packages released.
Comment 11 Thomas Biege 2009-10-13 21:35:40 UTC 
CVE-2005-3007: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)