
====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN444
____________________________________________________________________

DATE                :  06/11/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Opera versions prior to 12.10.

======================================================================
http://www.opera.com/support/kb/view/1030/
http://www.opera.com/support/kb/view/1031/
http://www.opera.com/support/kb/view/1033/
http://www.opera.com/support/kb/view/1034/
http://www.opera.com/support/kb/view/1029/
______________________________________________________________________

Advisory: CORS requests can incorrectly retrieve contents of cross
origin pages

Severity
High


Description

CORS (Cross-Origin Resource Sharing) allows web pages to retrieve the
contents of pages from other sites, with their permission, as they
would appear for the current user. When requests are made in this way,
the browser should only allow the page content to be retrieved if the
target site sends the correct headers that give permission for their
contents to be used in this way. Specially crafted requests may trick
Opera into thinking that the target site has given permission when it
had not done so. This can result in the contents of any target page
being revealed to untrusted sites, including any sensitive information
or session IDs contained within the source of those pages.


Opera's Response

Opera Software has released Opera 12.10, where this issue has been
fixed.

__________________________________________________________________

Advisory: Data URIs can be used to facilitate Cross-Site Scripting
Severity

High
Description

Data URIs are only supposed to inherit the scripting origin from the
site that creates them, such as by including them as the target of a
link or an inline frame in the source of the document. Specific
sequences of document and data URI loading can cause Opera to forget
which document created the data URI, and to allow the data URI document
to inherit the scripting origin of a target page instead. The data URI
document would then be allowed to interact with the target page,
instead of the document that created it, resulting in cross-site
scripting (XSS).


Opera's Response

Opera Software has released Opera 12.10, where this issue has been
fixed.

Credits

Thanks to multiple users who reported this issue to Opera Software
after its details were publicized.

__________________________________________________________________

Advisory: Specially crafted SVG images can allow execution of arbitrary code


Severity
Critical


Description

Opera can display images created using the Scalable Vector Graphics
(SVG) format. Specially crafted and malformed SVG images may cause
Opera to crash when their documents are unloaded, and the crash may
allow execution of malicious arbitrary code. To inject code, additional
techniques will have to be employed.


Opera's Response

Opera Software has released Opera 12.10, where this issue has been
fixed.


Credits

Thanks to Attila Suszter for reporting this issue to Opera Software
Browse through articles in the same categories: advisory

____________________________________________________________________

Advisory: Internet shortcuts used for phishing in <img> elements
Severity

None
Description

Websites may occasionally want to display image content from untrusted
sources. A phishing attack may be carried out by the untrusted source,
by displaying malicious instructions on the image, or by navigating the
containing page to a similar looking document on another server. Since
some image formats, such as Scalable Vector Graphics (SVG), support
scripted or plug-in content, websites may use the <img> element to
sanitize the content in the image, sandboxing it or preventing active
content from running inside the image. This sandboxing behavior is
mandated by HTML versions since HTML5, in order to assist sites that
attempt to rely on it. If the image redirects to an Internet shortcut,
Opera would follow and open them, navigating the containing document to
the target page. This has no direct security impact as the address bar
will show the correct address when this happens. However, examples of
this have been detected in active use, as part of phishing attacks,
relying on users not to notice that the page address is incorrect.


Opera's Response

Opera Software has released Opera 12.10, which does not follow Internet
shortcuts loaded from within inline elements, such as <img> elements.

______________________________________________________________________

Advisory: Certificate revocation service failure may cause Opera to show
an unverified site as secure
Severity

Moderate
Description

When accessing secure websites, Opera checks with a number of services
to check if the website's security certificate has been revoked.
Normally, if Opera cannot check revocation status, it will not present
the site as secure. In some cases, a failure in one of these services
can cause Opera not to check other services. In this case, Opera might
present the site as secure, even though it failed to complete checking
the revocation status.


Opera's Response

Opera Software has released Opera 12.10, where this issue been fixed.


=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================