CVE-2004-1157
CVSS7.5
发布时间 :2005-01-10 00:00:00
修订时间 :2008-09-05 16:40:33
NMCOS    

[原文]Opera 7.x up to 7.54, and possibly other versions, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability.


[CNNVD]Opera WebBrowser 窗口劫持漏洞(CNNVD-200501-019)

        Opera是一套浏览器软件。
        Opera 7.x到7.54以及其他版本存在窗口劫持漏洞。
        远程攻击者可利用漏洞实施欺骗,例如在可信的Web站点上使用弹出窗口。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1157
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1157
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-019
(官方数据源) CNNVD

- 其它链接及资源

http://www.gentoo.org/security/en/glsa/glsa-200502-17.xml
(UNKNOWN)  GENTOO  GLSA-200502-17
http://secunia.com/secunia_research/2004-13/advisory/
(UNKNOWN)  MISC  http://secunia.com/secunia_research/2004-13/advisory/
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
(UNKNOWN)  MISC  http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
http://secunia.com/advisories/13253/
(VENDOR_ADVISORY)  SECUNIA  13253

- 漏洞信息

Opera WebBrowser 窗口劫持漏洞
高危 设计错误
2005-01-10 00:00:00 2005-10-20 00:00:00
远程  
        Opera是一套浏览器软件。
        Opera 7.x到7.54以及其他版本存在窗口劫持漏洞。
        远程攻击者可利用漏洞实施欺骗,例如在可信的Web站点上使用弹出窗口。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.opera.com/browser/

- 漏洞信息

59844
Opera Cross-domain Browser Window Injection Content Spoofing
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2004-12-08 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Opera Web Browser Remote Window Hijacking Vulnerability
Design Error 11856
Yes No
2004-12-08 12:00:00 2009-07-12 08:07:00
Discovery of this issue is credited to Secunia Research.

- 受影响的程序版本

S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
Opera Software Opera Web Browser 8.0
Opera Software Opera Web Browser 7.54
Gentoo Linux
Opera Software Opera Web Browser 8.0 1

- 不受影响的程序版本

Opera Software Opera Web Browser 8.0 1

- 漏洞讨论

Opera Web Browser is reported prone to a vulnerability that may allow a Web site to hijack the contents of a trusted window. This issue may allow a remote attacker to carry out phishing style attacks.

This issue arises as a user visits a malicious site and follows a link to a trusted site. Once the link to the trusted site is followed, the victim must open a pop up window from the trusted site that can be influenced by the attacker's site.

If successful, the contents of the target site's window can be spoofed resulting in phishing style attacks.

Opera Web Browser 7.54 is reported vulnerable to this issue, however, it is possible that other versions are affected as well.

- 漏洞利用

A proof of concept is available from the following location:

http://secunia.com/multiple_browsers_window_injection_vulnerability_test/

- 解决方案

The vendor has released fixes to address this and other issues.

Gentoo has released an advisory (GLSA 200502-17) and an updated eBuild to address this and other issues in the Opera Web Browser. This update can be installed by issuing the following sequence of commands as a superuser:
emerge --sync
emerge --ask --oneshot --verbose ">=net-www/opera-7.54-r3"

The vendor has released Opera 8.01 to address this issue in Opera 8.0.

SUSE has released security announcement SUSE-SA:2005:034 addressing this issue. Please see the referenced advisory for further information.


Opera Software Opera Web Browser 7.54

Opera Software Opera Web Browser 8.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站