Another cross-site hole in Opera
Opera had hardly released security update 9.61 for its browser, and already the Full Disclosure security mailing list is discussing another critical security hole. Discussions were started by a report about a Stored Cross Site Scripting vulnerability in Opera which allows attackers to execute JavaScript code in the context of another page due to a flaw in the browser history search function. This gave rise to the question whether the search function accessible through opera:historysearch can be exploited for other malicious activities in the local database and whether the flaw gives potential attackers access to other files or data.
Browser security specialist Aviv Raff now claims to have found a way of starting arbitrary locally stored files. To do this, Raff uses Opera's execution of external mail applications and changes the applications to local ones. To infect a computer a web page could, for example, first make Opera download malware via FTP and then prompt the browser to execute it.
A public exploit created by Raff demonstratew the problem in a harmless way by starting the Windows calculator. However, the demo did not work when tested by heise Security on two computers. It may be that Raff has disabled the demo without notice, as a required JavaScript file is no longer accessible.
According to a report by ZDNet.com, a second and functional exploit has already been circulated for the current version of Opera. There is no update to fix this vulnerability. Whether Opera has already been informed about the problem is unknown. Users are advised to switch to a different browser until an update becomes available.
See also:
- Opera Stored Cross Site Scripting, Beschreibung von Aviv Raff
(jbe)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
