====================================================================== Secunia Research 22/11/2005 - Opera Command Line URL Shell Command Injection - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Description of Vulnerability.........................................3 Solution.............................................................4 Time Table...........................................................5 Credits..............................................................6 References...........................................................7 About Secunia........................................................8 Verification.........................................................9 ====================================================================== 1) Affected Software Opera 8.x on Unix / Linux based environments. Prior versions may also be affected. ====================================================================== 2) Severity Rating: Highly Critical Impact: System access Where: Remote ====================================================================== 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the shell script used to launch Opera parsing shell commands that are enclosed within backticks in the URL provided via the command line. This can e.g. be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Opera as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4). This vulnerability can only be exploited on Unix / Linux based environments. This vulnerability is a variant of: http://secunia.com/SA16869 ====================================================================== 4) Solution Update to version 8.51. http://www.opera.com/download/ ====================================================================== 5) Time Table 22/09/2005 - Initial vendor notification. 22/09/2005 - Initial vendor reply. 22/11/2005 - Vendor released patches. 22/11/2005 - Public disclosure. ====================================================================== 6) Credits Originally discovered by: Peter Zelezny Discovered in Opera by: Jakob Balle, Secunia Research ====================================================================== 7) References Secunia Advisory SA16869: http://secunia.com/advisories/16869/ ====================================================================== 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-57/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================