Vulnerabilities > CVE-2007-1114 - Cross-Site Scripting vulnerability in Microsoft IE 7.0

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
microsoft
nessus
NVD
Published: 2007-02-26
Updated: 2018-10-16

Summary

The child frames in Microsoft Internet Explorer 7 inherit the default charset from the parent window when a charset is not specified in an HTTP Content-Type header or META tag, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated using the UTF-7 character set.

Vulnerable Configurations

Part Description Count
Application
Microsoft
1

Nessus

NASL familyWindows
NASL idOPERA_920.NASL
descriptionThe version of Opera installed on the remote host reportedly may allow a remote attacker to bypass cross-site scripting filters because it renders a web page without a defined charset with the charset of the parent page. In addition, its FTP implementation can be leveraged by remote attackers to force the client to connect to arbitrary servers via FTP PASV responses.
last seen2020-06-01
modified2020-06-02
plugin id25036
published2007-04-14
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/25036
titleOpera < 9.20 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(25036);
  script_version("1.18");
  script_cvs_date("Date: 2018/11/15 20:50:28");

  script_cve_id("CVE-2007-1114", "CVE-2007-1115", "CVE-2007-1563");
  script_bugtraq_id(22701, 23089, 41927);

  script_name(english:"Opera < 9.20 Multiple Vulnerabilities");
  script_summary(english:"Checks version number of Opera");

 script_set_attribute(attribute:"synopsis", value:
"The remote host contains a web browser that is susceptible to
multiple issues." );
 script_set_attribute(attribute:"description", value:
"The version of Opera installed on the remote host reportedly may allow
a remote attacker to bypass cross-site scripting filters because it 
renders a web page without a defined charset with the charset of the 
parent page. 

In addition, its FTP implementation can be leveraged by remote
attackers to force the client to connect to arbitrary servers via FTP
PASV responses." );
 script_set_attribute(attribute:"see_also", value:"http://bindshell.net/papers/ftppasv" );
 script_set_attribute(attribute:"see_also", value:"http://www.hardened-php.net/advisory_032007.142.html" );
 script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20080516192212/http://www.opera.com/support/search/view/855/" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Opera version 9.20 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(79);
 script_set_attribute(attribute:"plugin_publication_date", value: "2007/04/14");
 script_set_attribute(attribute:"vuln_publication_date", value: "2007/02/23");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:opera:opera_browser");
script_end_attributes();


  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");

  script_dependencies("opera_installed.nasl");
  script_require_keys("SMB/Opera/Version_UI");

  exit(0);
}


include("global_settings.inc");


version_ui = get_kb_item("SMB/Opera/Version_UI");
if (isnull(version_ui)) exit(0);

if (version_ui =~ "^9\.[01][0-9]($|[^0-9])")
{
  if (report_verbosity)
  {
    report = string(
      "\n",
      "Opera version ", version_ui, " is currently installed on the remote host.\n"
    );
    security_warning(port:get_kb_item("SMB/transport"), extra:report);
  }
  else security_warning(get_kb_item("SMB/transport"));
}

References