Title: Opera Web Browser History Search Input Validation Vulnerability
Severity: HIGH
Description:
Opera Web Browser is a browser that runs on multiple operating systems.
The browser is prone to an input-validation vulnerability because of the way it stores data used for the History Search feature. Specifically, the 'md.dat' file contains information pertaining to previously visited webpages that is not consistently encoded. Attackers can append a '#' character followed by arbitrary content to URIs, which will subsequently be stored in the 'md.dat' file.
Attackers can exploit this issue via the following attack vectors:
1. An HTML-injection attack can occur because the browser fails to sanitize arbitrary input that will be displayed in its History Search results. The attacker's malicious script will have full access to the browsing history.
2. A cross-site scripting attack can occur via the 'q' parameter of the History Search feature.
3. An origin-validation attack can occur via the browser's preferences configuration option when used in conjunction with the History Search feature. Attackers can exploit this issue to, for example, configure a remote proxy or define arbitrary handlers for mail events. An attacker may be able to obtain sensitive information or execute arbitrary local programs within the context of the browser.
Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, obtain sensitive information, or execute local programs in the context of the browser; other attacks are also possible.
Versions prior to Opera Web Browser 9.61 are vulnerable.
NOTE: This issue was previously documented in BID 31842 (Opera Web Browser HTML Injection and Cross Site Scripting Vulnerabilities) but has been given its own record to better document the details.
Affected Products:
- Gentoo Linux
- Opera Software Opera Web Browser 9
- Opera Software Opera Web Browser 9.01
- Opera Software Opera Web Browser 9.02
- Opera Software Opera Web Browser 9.10
- Opera Software Opera Web Browser 9.20
- Opera Software Opera Web Browser 9.20 beta1
- Opera Software Opera Web Browser 9.21
- Opera Software Opera Web Browser 9.22
- Opera Software Opera Web Browser 9.23
- Opera Software Opera Web Browser 9.24
- Opera Software Opera Web Browser 9.25
- Opera Software Opera Web Browser 9.26
- Opera Software Opera Web Browser 9.27
- Opera Software Opera Web Browser 9.5
- Opera Software Opera Web Browser 9.50 beta
- Opera Software Opera Web Browser 9.51
- Opera Software Opera Web Browser 9.52
- Opera Software Opera Web Browser 9.60
- Opera Software Opera Web Browser 9.60 beta 1
- S.u.S.E. openSUSE 10.2
- S.u.S.E. openSUSE 10.3
- S.u.S.E. openSUSE 11.0
References:
- Opera: Advisory: History Search can reveal browsing history
- Opera Software: Opera Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
