Bug: Opera Command Line URL Shell Command Injection ( Ascii Version )

Search:
WLB2

Opera Command Line URL Shell Command Injection

Published
Credit
Risk
2005.11.23
Peter Zelezny & Jakob Balle & Secunia Research
High
CWE
CVE
Local
Remote
N/A
CVE-2005-3750
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

======================================================================

Secunia Research 22/11/2005

- Opera Command Line URL Shell Command Injection -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

Opera 8.x on Unix / Linux based environments.

Prior versions may also be affected.

======================================================================
2) Severity

Rating: Highly Critical
Impact: System access
Where: Remote

======================================================================
3) Description of Vulnerability

Secunia Research has discovered a vulnerability in Opera, which can
be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the shell script used to launch
Opera parsing shell commands that are enclosed within backticks in
the URL provided via the command line. This can e.g. be exploited to
execute arbitrary shell commands by tricking a user into following a
malicious link in an external application which uses Opera as the
default browser (e.g. the mail client Evolution on Red Hat Enterprise
Linux 4).

This vulnerability can only be exploited on Unix / Linux based
environments.

This vulnerability is a variant of:
http://secunia.com/SA16869

======================================================================
4) Solution

Update to version 8.51.
http://www.opera.com/download/

======================================================================
5) Time Table

22/09/2005 - Initial vendor notification.
22/09/2005 - Initial vendor reply.
22/11/2005 - Vendor released patches.
22/11/2005 - Public disclosure.

======================================================================
6) Credits

Originally discovered by:
Peter Zelezny

Discovered in Opera by:
Jakob Balle, Secunia Research

======================================================================
7) References

Secunia Advisory SA16869:
http://secunia.com/advisories/16869/

======================================================================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-57/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version