| VID |
28068 |
| Severity |
30 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The Opera on the host, according to its version number, has an arbitrary file deletion vulnerability. Opera is a Web browser, developed by Opera Software, for multiple operating systems. Opera versions prior to 7.23 build 3227 could allow a remote attacker to traverse directories and delete arbitrary files on the affected system. Opera creates a temporary file when displaying the download dialog window. The vulnerability is caused due to an input validation error during the creation of the temporary file, which allows a malicious URL to contain hexadecimal URL encoded "dot dot" sequences (in the form of ..%5c..%5c) to traverse directories on the victim's system. The file with this string can be located on any paths on the same drive as the temporary file. Successful exploitation allows a malicious website to overwrite and delete arbitrary files on a user's system with the user's privileges.
Example, which overwrites "calc.exe" on a user's system:
http://[malicious_website]/[path]/AAAAAAAAAA%5C..%5C..%5Ccalc.exe
* Note: This check requires an account with administrative privileges which can log into the host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://opera.rainyblue.org/modules/cjaycontent/index.php?id=16
http://www.secunia.com/advisories/10425
http://www.securityfocus.com/archive/1/348278
* Platforms Affected:
Opera 7.22 and earlier
Linux Any version
Windows Any version |
| Recommendation |
Upgrade to the latest version of Opera (7.23 build 3227 or later), available from the Opera Web site at http://www.opera.com/download/ |
| Related URL |
(CVE) |
| Related URL |
9279 (SecurityFocus) |
| Related URL |
13977 (ISS) |
|
