Secunia Research: Opera Command Line URL Shell Command Injection

• Previous message: Martin Schulze: "[SECURITY] [DSA 906-1] New sylpheed packages fix arbitrary code execution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: vuln@secunia.com
Date: Tue, 22 Nov 2005 10:40:01 +0100

======================================================================

                     Secunia Research 22/11/2005

         - Opera Command Line URL Shell Command Injection -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

Opera 8.x on Unix / Linux based environments.

Prior versions may also be affected.

======================================================================
2) Severity

Rating: Highly Critical
Impact: System access
Where: Remote

======================================================================
3) Description of Vulnerability

Secunia Research has discovered a vulnerability in Opera, which can
be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the shell script used to launch
Opera parsing shell commands that are enclosed within backticks in
the URL provided via the command line. This can e.g. be exploited to
execute arbitrary shell commands by tricking a user into following a
malicious link in an external application which uses Opera as the
default browser (e.g. the mail client Evolution on Red Hat Enterprise
Linux 4).

This vulnerability can only be exploited on Unix / Linux based
environments.

This vulnerability is a variant of:
http://secunia.com/SA16869

======================================================================
4) Solution

Update to version 8.51.
http://www.opera.com/download/

======================================================================
5) Time Table

22/09/2005 - Initial vendor notification.
22/09/2005 - Initial vendor reply.
22/11/2005 - Vendor released patches.
22/11/2005 - Public disclosure.

======================================================================
6) Credits

Originally discovered by:
Peter Zelezny

Discovered in Opera by:
Jakob Balle, Secunia Research

======================================================================
7) References

Secunia Advisory SA16869:
http://secunia.com/advisories/16869/

======================================================================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-57/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

• Previous message: Martin Schulze: "[SECURITY] [DSA 906-1] New sylpheed packages fix arbitrary code execution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [Full-Disclosure] Secunia Research: Xeneo Web Server URL Encoding Denial of Service ... I found this vulnerability and published it on April 21. ... Try reading your mail lists before sending out advisories. ... > Receive Secunia Security Advisories for free: ... > Xeneo Web Server 2.2.9 and prior. ... (Full-Disclosure) Secunia Research: Opera browser Cross Site Scripting ... A vulnerability exists in the way the Opera browser generates a ... When Opera generates a page for displaying a redirect, ... Secunia collects, validates, assesses and writes advisories regarding ... (NT-Bugtraq) [Full-Disclosure] Secunia Research: IBM Net.Data Macro Name Cross-Site Scripting Vulnerability ... A vulnerability has been identified in IBM Net.Data, ... 04/11/2003 - Vendor notified ... Discovered by Carsten Eiram, Secunia Research. ... Secunia collects, validates, assesses, and writes advisories regarding ... (Full-Disclosure) [Full-disclosure] Secunia Research: Opera Command Line URL Shell Command Injection ... Opera 8.x on Unix / Linux based environments. ... Secunia Research has discovered a vulnerability in Opera, ... Jakob Balle, Secunia Research ... Secunia collects, validates, assesses, and writes advisories regarding ... (Full-Disclosure) [VulnWatch] Secunia Research: IBM Net.Data Macro Name Cross-Site Scripting Vulnerability ... A vulnerability has been identified in IBM Net.Data, ... 04/11/2003 - Vendor notified ... Discovered by Carsten Eiram, Secunia Research. ... Secunia collects, validates, assesses, and writes advisories regarding ... (Full-Disclosure)