发布时间 :2005-01-10 00:00:00
修订时间 :2008-09-05 16:40:33

[原文]Opera 7.x up to 7.54, and possibly other versions, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability.

[CNNVD]Opera WebBrowser 窗口劫持漏洞(CNNVD-200501-019)

        Opera 7.x到7.54以及其他版本存在窗口劫持漏洞。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

Opera WebBrowser 窗口劫持漏洞
高危 设计错误
2005-01-10 00:00:00 2005-10-20 00:00:00
        Opera 7.x到7.54以及其他版本存在窗口劫持漏洞。

- 公告与补丁


- 漏洞信息

Opera Cross-domain Browser Window Injection Content Spoofing
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2004-12-08 Unknow
Unknow Unknow

- 解决方案


Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Opera Web Browser Remote Window Hijacking Vulnerability
Design Error 11856
Yes No
2004-12-08 12:00:00 2009-07-12 08:07:00
Discovery of this issue is credited to Secunia Research.

- 受影响的程序版本

S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
Opera Software Opera Web Browser 8.0
Opera Software Opera Web Browser 7.54
Gentoo Linux
Opera Software Opera Web Browser 8.0 1

- 不受影响的程序版本

Opera Software Opera Web Browser 8.0 1

- 漏洞讨论

Opera Web Browser is reported prone to a vulnerability that may allow a Web site to hijack the contents of a trusted window. This issue may allow a remote attacker to carry out phishing style attacks.

This issue arises as a user visits a malicious site and follows a link to a trusted site. Once the link to the trusted site is followed, the victim must open a pop up window from the trusted site that can be influenced by the attacker's site.

If successful, the contents of the target site's window can be spoofed resulting in phishing style attacks.

Opera Web Browser 7.54 is reported vulnerable to this issue, however, it is possible that other versions are affected as well.

- 漏洞利用

A proof of concept is available from the following location:

- 解决方案

The vendor has released fixes to address this and other issues.

Gentoo has released an advisory (GLSA 200502-17) and an updated eBuild to address this and other issues in the Opera Web Browser. This update can be installed by issuing the following sequence of commands as a superuser:
emerge --sync
emerge --ask --oneshot --verbose ">=net-www/opera-7.54-r3"

The vendor has released Opera 8.01 to address this issue in Opera 8.0.

SUSE has released security announcement SUSE-SA:2005:034 addressing this issue. Please see the referenced advisory for further information.

Opera Software Opera Web Browser 7.54

Opera Software Opera Web Browser 8.0

- 相关参考