Vulnerabilities > CVE-2004-2570 - Injection vulnerability in Opera Browser
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Opera before 7.54 allows remote attackers to modify properties and methods of the location object and execute Javascript to read arbitrary files from the client's local filesystem or display a false URL to the user.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
Nessus
NASL family Windows NASL id OPERA_REMOTE_LOCATION_OBJECT_FLAW.NASL description The version of Opera on the remote host fails to block write access to the last seen 2020-06-01 modified 2020-06-02 plugin id 14261 published 2004-08-12 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14261 title Opera < 7.54 location Object Crafted URL Arbitrary Local File Access code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(14261); script_version("1.19"); script_cve_id("CVE-2004-2570"); script_bugtraq_id(10873); script_name(english:"Opera < 7.54 location Object Crafted URL Arbitrary Local File Access"); script_set_attribute(attribute:"synopsis", value: "The remote host contains a web browser that is affected by multiple flaws." ); script_set_attribute(attribute:"description", value: "The version of Opera on the remote host fails to block write access to the 'location' object. This could allow a user to create a specially crafted URL to overwrite methods within the 'location' object that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of confidentiality and integrity." ); script_set_attribute(attribute:"see_also", value:"http://www.greymagic.com/security/advisories/gm008-op/" ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20170706171807/http://www.opera.com/docs/changelogs/windows/754/" ); script_set_attribute(attribute:"solution", value: "Upgrade to Opera 7.54 or newer." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/08/12"); script_set_attribute(attribute:"vuln_publication_date", value: "2004/08/05"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:opera:opera_browser"); script_end_attributes(); script_summary(english:"Determines the version of Opera.exe"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("opera_installed.nasl"); script_require_keys("SMB/Opera/Version"); exit(0); } # include("global_settings.inc"); version_ui = get_kb_item("SMB/Opera/Version_UI"); version = get_kb_item("SMB/Opera/Version"); if (isnull(version)) exit(0); ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); if ( ver[0] < 7 || (ver[0] == 7 && ver[1] < 54) ) { if (report_verbosity && version_ui) { report = string( "\n", "Opera ", version_ui, " is currently installed on the remote host.\n" ); security_warning(port:get_kb_item("SMB/transport"), extra:report); } else security_warning(get_kb_item("SMB/transport")); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200408-05.NASL description The remote host is affected by the vulnerability described in GLSA-200408-05 (Opera: Multiple new vulnerabilities) Multiple vulnerabilities have been found in the Opera web browser. Opera fails to deny write access to the last seen 2020-06-01 modified 2020-06-02 plugin id 14561 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14561 title GLSA-200408-05 : Opera: Multiple new vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200408-05. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(14561); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:41"); script_cve_id("CVE-2004-2570"); script_xref(name:"GLSA", value:"200408-05"); script_name(english:"GLSA-200408-05 : Opera: Multiple new vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200408-05 (Opera: Multiple new vulnerabilities) Multiple vulnerabilities have been found in the Opera web browser. Opera fails to deny write access to the 'location' browser object. An attacker can overwrite methods in this object and gain script access to any page that uses one of these methods. Furthermore, access to file:// URLs is possible even from pages loaded using other protocols. Finally, spoofing a legitimate web page is still possible, despite the fixes announced in GLSA 200407-15. Impact : By enticing an user to visit specially crafted web pages, an attacker can read files located on the victim's file system, read emails written or received by M2, Opera's mail program, steal cookies, spoof URLs, track user browsing history, etc. Workaround : There is no known workaround at this time. All users are encouraged to upgrade to the latest available version." ); # http://www.opera.com/linux/changelogs/754/ script_set_attribute( attribute:"see_also", value:"https://www.opera.com/computer/linux" ); # http://archives.neohapsis.com/archives/fulldisclosure/2004-07/1056.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?29fdad94" ); script_set_attribute( attribute:"see_also", value:"http://www.greymagic.com/security/advisories/gm008-op/" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200408-05" ); script_set_attribute( attribute:"solution", value: "All Opera users should upgrade to the latest stable version: # emerge sync # emerge -pv '>=www-client/opera-7.54' # emerge '>=www-client/opera-7.54'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:opera"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-client/opera", unaffected:make_list("ge 7.54"), vulnerable:make_list("le 7.53"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Opera"); }
References
- http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0131.html
- http://www.greymagic.com/security/advisories/gm008-op/
- http://www.opera.com/docs/changelogs/windows/754/
- http://www.gentoo.org/security/en/glsa/glsa-200408-05.xml
- http://www.securityfocus.com/bid/10873
- http://osvdb.org/8331
- http://secunia.com/advisories/12233
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16904