======================================================================
Secunia Research 10/12/2004
- Opera Download Dialog Spoofing Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
About Secunia........................................................7
Verification.........................................................8
======================================================================
1) Affected Software
Opera 7.54 for Windows
Prior versions may also be vulnerable.
======================================================================
2) Severity
Rating: Moderately critical
Impact: Spoofing
Where: From remote
======================================================================
3) Description of Vulnerability
Secunia Research has discovered a vulnerability in Opera, which can be
exploited by malicious people to trick users into executing malicious
files.
The vulnerability is caused due to the filename and the "Content-Type"
header not being sufficiently validated before being displayed in the
file download dialog. This can be exploited to spoof file types in the
download dialog by passing specially crafted "Content-Disposition" and
"Content-Type" headers containing dots and ASCII character code 160.
Successful exploitation may result in users being tricked into
executing a malicious file via the download dialog.
The vulnerability has been confirmed on Opera 7.54 for Windows. Other
versions may also be affected.
======================================================================
4) Solution
Update to version 7.54u1.
http://www.opera.com/download/
======================================================================
5) Time Table
25/10/2004 - Vulnerability discovered.
01/11/2004 - Vendor notified.
01/11/2004 - Vendor confirms the vulnerability.
10/12/2004 - Public disclosure.
======================================================================
6) Credits
Discovered by Andreas Sandblad, Secunia Research.
======================================================================
7) About Secunia
Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia web site:
http://secunia.com/
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/secunia_security_advisories/
======================================================================
8) Verification
Please verify this advisory by visiting the Secunia web site:
http://secunia.com/secunia_research/2004-19/advisory/
======================================================================
--
Kind regards,
Thomas Kristensen
CTO
Secunia
Toldbodgade 37B
1253 Copenhagen K
Denmark
Tlf.: +45 7020 5144
Fax: +45 7020 5145
Received on Dec 12 2004
Intro
