Bugzilla – Bug 117980
VUL-0: CVE-2005-3007: opera script insertion attack
Last modified: 2021-12-06 09:35:53 UTC
From: Secunia Research <vuln@secunia.com> To: full-disclosure@lists.grok.org.uk Date: Tue, 20 Sep 2005 11:06:05 +0200 Cc: bugtraq@securityfocus.com Subject: [Full-disclosure] Secunia Research: Opera Mail Client Attachment Spoofing and Script Insertion Reply-To: vuln@secunia.com Errors-To: full-disclosure-bounces@lists.grok.org.uk ====================================================================== Secunia Research 20/09/2005 - Opera Mail Client Attachment Spoofing and Script Insertion - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Description of Vulnerability.........................................3 Solution.............................................................4 Time Table...........................................................5 Credits..............................................................6 References...........................................................7 About Secunia........................................................8 Verification.........................................................9 ====================================================================== 1) Affected Software Opera 8.02 Prior versions may also be affected. ====================================================================== 2) Severity Rating: Moderately Critical Impact: Script Insertion, Spoofing Where: From Remote ====================================================================== 3) Description of Vulnerability Secunia Research has discovered two vulnerabilities in the Opera Mail client, which can be exploited by a malicious person to conduct script insertion attacks and to spoof the name of attached files. 1. Attached files are opened without any warnings directly from the user's cache directory. This can be exploited to execute arbitrary JavaScript in context of "file://". 2. Normally, filename extensions are determined by the "Content-Type" in Opera Mail. However, by appending an additional '.' to the end of a filename, an HTML file could be spoofed to be e.g. "image.jpg.". The two vulnerabilities combined may be exploited to conduct script insertion attacks if the user chooses to view an attachment named e.g. "image.jpg." e.g. resulting in disclosure of local files. ====================================================================== 4) Solution Update to version 8.50. http://www.opera.com/download/ ====================================================================== 5) Time Table 01/09/2005 - Initial vendor notification. 20/09/2005 - Public disclosure. ====================================================================== 6) Credits Discovered by Jakob Balle, Secunia Research. ====================================================================== 7) References No references available. ======================================================================
Fixed package submitted to stable; if I should backport, down to which version?
down to 9.0 if possible. swampid: 2364
is 10.0 itself affected?
10.0 probably as well, what's the procedure there? I backported the fixes now down to 9.0
just sbumit a fixed package to done/10.0/
Shouldn't the specfile read "Version: 8.50"?
I messed up :( The specfile should indeed be 8.50, I'll fix
Fixed
CAN-2005-3006 CAN-2005-3007
advisory and packages released.
CVE-2005-3007: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)