RC4 encryption protocol is vulnerable to certain brute force attacks – Opera Security Advisories

Weaknesses in the RC4 encryption protocol have been found, allowing an attacker to deduce the plaintext. If the same message is encrypted many millions of times, statistical methods can be used to extract valuable information, such as cookies. Due to the time this amount of requests takes, this i...

RC4 encryption protocol is vulnerable to certain brute force attacks

Weaknesses in the RC4 encryption protocol have been found, allowing an attacker to deduce the plaintext. If the same message is encrypted many millions of times, statistical methods can be used to extract valuable information, such as cookies. Due to the time this amount of requests takes, this i...

Cookies can be set for a top-level domain – Opera Security Advisories

Browsers should only allow cookies to be set for the website that created them. In some specific cases, Opera does not apply this restriction correctly, and allows a website to set a cookie for its entire top-level domain such as .com or .co.uk. A malicious site could then redirect the user to...

CORS requests can omit the preflight request

Cross-Origin Resource Sharing CORS requests are required to send a preflight request if custom headers are included, to check that the host wishes to allow the full request to be made. An example of where this may be needed is for sites that use a custom header with a static value as part of thei...

TLS response timings can indicate network contents – Opera Security Advisories

When Opera receives incorrectly encrypted network data, Opera will detect this, and let the sender know that the data was not understood. Such encrypted error responses are marginally faster than regular responses. An attacker with access to the network, can by replacing network data measure...

Use of SVG clipPaths can allow execution of arbitrary code – Opera Security Advisories

When SVG documents with specifically prepared clipPaths are used in Opera, Opera may allow other content to overwrite the memory, before referencing the memory, which will lead to a crash. If an attacker can control the contents being written into memory, execution of arbitrary code may occur...

DOM events manipulation might be used to execute arbitrary code – Opera Security Advisories

DOM events manipulation might be used to execute arbitrary code – Opera Security Advisories OPCOM Team | January 29, 2013 Severity: High Description: Particular DOM event manipulations can cause Opera to crash. In some cases, this crash might occur in a way that allows execution of arbitrary code...

TLS response timings can indicate network contents

When Opera receives incorrectly encrypted network data, Opera will detect this, and let the sender know that the data was not understood. Such encrypted error responses are marginally faster than regular responses. An attacker with access to the network, can by replacing network data measure...

DOM events manipulation might be used to execute arbitrary code

Particular DOM event manipulations can cause Opera to crash. In some cases, this crash might occur in a way that allows execution of arbitrary code. To inject code, additional techniques would have to be employed...

Use of SVG clipPaths can allow execution of arbitrary code

When SVG documents with specifically prepared clipPaths are used in Opera, Opera may allow other content to overwrite the memory, before referencing the memory, which will lead to a crash. If an attacker can control the contents being written into memory, execution of arbitrary code may occur...

CORS requests can omit the preflight request – Opera Security Advisories

Cross-Origin Resource Sharing CORS requests are required to send a preflight request if custom headers are included, to check that the host wishes to allow the full request to be made. An example of where this may be needed is for sites that use a custom header with a static value as part of thei...

Carefully timed redirects can allow cross site scripting

Scripts on a page are supposed to be restricted so that they can only interact with other pages from the same domain and security context. Carefully timed redirects can cause scripts to execute in the wrong security context in Opera. This allows cross site scripting XSS...

Carefully timed redirects can allow cross site scripting – Opera Security Advisories

Scripts on a page are supposed to be restricted so that they can only interact with other pages from the same domain and security context. Carefully timed redirects can cause scripts to execute in the wrong security context in Opera. This allows cross site scripting XSS...

Malformed GIF images could allow execution of arbitrary code – Opera Security Advisories

When loading GIF images into memory, Opera should allocate the correct amount of memory to store that image. Specially crafted image files can cause Opera to allocate the wrong amount of memory. Subsequent data may then overwrite unrelated memory with attacker-controlled data. This can lead to a...

Private data can be disclosed to other computer users, or be modified by them

Private data such as cache, password files, and Opera's configuration files are supposed to be visible only to the user who owns the Opera profile. Opera does not set the profile folder permissions correctly, allowing other computer users to read the sensitive contents of profile files. In some...

Malformed GIF images could allow execution of arbitrary code

When loading GIF images into memory, Opera should allocate the correct amount of memory to store that image. Specially crafted image files can cause Opera to allocate the wrong amount of memory. Subsequent data may then overwrite unrelated memory with attacker-controlled data. This can lead to a...

Repeated attempts to access a target site can trigger address field spoofing – Opera Security Advisories

The browser address field should always show the correct address for the page that is currently being displayed. By making repeated requests to load a target site in rapid succession, an attacking web site can cause Opera to display the target sites address while the attacking page is still being...

Private data can be disclosed to other computer users, or be modified by them – Opera Security Advisories

Private data such as cache, password files, and Opera’s configuration files are supposed to be visible only to the user who owns the Opera profile. Opera does not set the profile folder permissions correctly, allowing other computer users to read the sensitive contents of profile files. In some...

Repeated attempts to access a target site can trigger address field spoofing

The browser address field should always show the correct address for the page that is currently being displayed. By making repeated requests to load a target site in rapid succession, an attacking web site can cause Opera to display the target sites address while the attacking page is still being...

HTTP response heap buffer overflow can allow execution of arbitrary code

When requesting pages using HTTP, Opera temporarily stores the response in a buffer. In some cases, Opera may incorrectly allocate too little space for a buffer, and may then store too much of the response in that buffer. This causes a buffer overflow, which in turn can lead to a memory corruptio...

Error pages can be used to guess local file paths

Remote web pages should not be able to detect what files a user has on their local machine. Certain error pages do not apply this restriction correctly, allowing web pages to produce an error page where a script can run. The script can then use various events to detect whether files on the user's...

HTTP response heap buffer overflow can allow execution of arbitrary code – Opera Security Advisories

When requesting pages using HTTP, Opera temporarily stores the response in a buffer. In some cases, Opera may incorrectly allocate too little space for a buffer, and may then store too much of the response in that buffer. This causes a buffer overflow, which in turn can lead to a memory corruptio...

Error pages can be used to guess local file paths – Opera Security Advisories

Remote web pages should not be able to detect what files a user has on their local machine. Certain error pages do not apply this restriction correctly, allowing web pages to produce an error page where a script can run. The script can then use various events to detect whether files on the user’s...

Specially crafted WebP images can be used to disclose random chunks of memory

WebP images may be used as fill patterns in a HTML5 Canvas, and the values of each pixel in the image can then be intentionally read using scripts. Specially crafted WebP images may specify the wrong size for certain parts of their data, which causes Opera to read data from the wrong positions in...

Specially crafted WebP images can be used to disclose random chunks of memory – Opera Security Advisories

WebP images may be used as fill patterns in a HTML5 Canvas, and the values of each pixel in the image can then be intentionally read using scripts. Specially crafted WebP images may specify the wrong size for certain parts of their data, which causes Opera to read data from the wrong positions in...

Data URIs can be used to facilitate Cross-Site Scripting

Data URIs are only supposed to inherit the scripting origin from the site that creates them, such as by including them as the target of a link or an inline frame in the source of the document. Specific sequences of document and data URI loading can cause Opera to forget which document created the...

CORS requests can incorrectly retrieve contents of cross origin pages – Opera Security Advisories

CORS Cross-Origin Resource Sharing allows web pages to retrieve the contents of pages from other sites, with their permission, as they would appear for the current user. When requests are made in this way, the browser should only allow the page content to be retrieved if the target site sends the...

Cross domain access to object constructors can be used to facilitate cross-site scripting

JavaScripts are able to redefine and override the methods of native objects. They may also do this with the native objects of any document that shares the same origin. By redefining the methods of another document through the constructor property of the document's host objects, a malicious script...

Specially crafted SVG images can allow execution of arbitrary code – Opera Security Advisories

Opera can display images created using the Scalable Vector Graphics SVG format. Specially crafted and malformed SVG images may cause Opera to crash when their documents are unloaded, and the crash may allow execution of malicious arbitrary code. To inject code, additional techniques will have to ...

Certificate revocation service failure may cause Opera to show an unverified site as secure – Opera Security Advisories

When accessing secure websites, Opera checks with a number of services to check if the website’s security certificate has been revoked. Normally, if Opera cannot check revocation status, it will not present the site as secure. In some cases, a failure in one of these services can cause Opera not ...

Internet shortcuts used for phishing in <img> elements

Websites may occasionally want to display image content from untrusted sources. A phishing attack may be carried out by the untrusted source, by displaying malicious instructions on the image, or by navigating the containing page to a similar looking document on another server. Since some image...

Data URIs can be used to facilitate Cross-Site Scripting – Opera Security Advisories

Data URIs are only supposed to inherit the scripting origin from the site that creates them, such as by including them as the target of a link or an inline frame in the source of the document. Specific sequences of document and data URI loading can cause Opera to forget which document created the...

Internet shortcuts used for phishing in elements – Opera Security Advisories

Websites may occasionally want to display image content from untrusted sources. A phishing attack may be carried out by the untrusted source, by displaying malicious instructions on the image, or by navigating the containing page to a similar looking document on another server. Since some image...

CORS requests can incorrectly retrieve contents of cross origin pages

CORS Cross-Origin Resource Sharing allows web pages to retrieve the contents of pages from other sites, with their permission, as they would appear for the current user. When requests are made in this way, the browser should only allow the page content to be retrieved if the target site sends the...

Specially crafted SVG images can allow execution of arbitrary code

Opera can display images created using the Scalable Vector Graphics SVG format. Specially crafted and malformed SVG images may cause Opera to crash when their documents are unloaded, and the crash may allow execution of malicious arbitrary code. To inject code, additional techniques will have to ...

Cross domain access to object constructors can be used to facilitate cross-site scripting – Opera Security Advisories

JavaScripts are able to redefine and override the methods of native objects. They may also do this with the native objects of any document that shares the same origin. By redefining the methods of another document through the constructor property of the document’s host objects, a malicious script...

Certificate revocation service failure may cause Opera to show an unverified site as secure

When accessing secure websites, Opera checks with a number of services to check if the website's security certificate has been revoked. Normally, if Opera cannot check revocation status, it will not present the site as secure. In some cases, a failure in one of these services can cause Opera not ...

Truncated dialogs may be used to trick users

When an important dialog is being displayed, such as a download dialog, the entire dialog should be visible, so that the user can clearly see what the dialog's buttons will do. In some cases, specific user interactions can cause Opera not to enforce this correctly, allowing the window to become...

Truncated dialogs may be used to trick users – Opera Security Advisories

When an important dialog is being displayed, such as a download dialog, the entire dialog should be visible, so that the user can clearly see what the dialog’s buttons will do. In some cases, specific user interactions can cause Opera not to enforce this correctly, allowing the window to become...

Certain characters in HTML can incorrectly be ignored, which can facilitate XSS attacks – Opera Security Advisories

Sites that allow content to be provided by untrusted users, such as forums and blogging sites, typically sanitize the untrusted content to ensure that it does not contain any harmful content, such as malicious scripts. When certain characters appear at specific locations within HTML markup, they...

Small windows can be used in several ways to trick users into executing downloads

When the download dialog is displayed, it should always be visible to the user, to ensure that the user realizes it is there. If the dialog is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can end...

Certain characters in HTML can incorrectly be ignored, which can facilitate XSS attacks

Sites that allow content to be provided by untrusted users, such as forums and blogging sites, typically sanitize the untrusted content to ensure that it does not contain any harmful content, such as malicious scripts. When certain characters appear at specific locations within HTML markup, they...

Plug-in content may monitor keystrokes on unrelated pages

Plug-ins may use operating system features to detect key presses when the plug-in is focused. If the plug-in does not detect its own focused state correctly, it can detect key presses when other pages are focused, allowing the plug-in content to detect key presses intended for pages from other...

Certain URL constructs can allow arbitrary code execution – Opera Security Advisories

Certain page address URL constructs can cause Opera to allocate the wrong amount of memory for storing the address. When it then attempts to store the address, it will overwrite unrelated memory with attacker-controlled data. This can lead to a crash, which may also execute that data as code...

Certain URL constructs can allow arbitrary code execution

Certain page address URL constructs can cause Opera to allocate the wrong amount of memory for storing the address. When it then attempts to store the address, it will overwrite unrelated memory with attacker-controlled data. This can lead to a crash, which may also execute that data as code...

Small windows can be used in several ways to trick users into executing downloads – Opera Security Advisories

When the download dialog is displayed, it should always be visible to the user, to ensure that the user realizes it is there. If the dialog is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can end...

Element HTML content can be incorrectly returned without escaping, bypassing some HTML sanitizers – Opera Security Advisories

When sites accept HTML from untrusted users, and use that HTML as page content, they typically sanitize the untrusted HTML to ensure that it does not contain any harmful content, such as malicious scripts. In some cases, this sanitization may be performed by writing and reading the contents of DO...

Element HTML content can be incorrectly returned without escaping, bypassing some HTML sanitizers

When sites accept HTML from untrusted users, and use that HTML as page content, they typically sanitize the untrusted HTML to ensure that it does not contain any harmful content, such as malicious scripts. In some cases, this sanitization may be performed by writing and reading the contents of DO...

Plug-in content may monitor keystrokes on unrelated pages – Opera Security Advisories

Plug-ins may use operating system features to detect key presses when the plug-in is focused. If the plug-in does not detect its own focused state correctly, it can detect key presses when other pages are focused, allowing the plug-in content to detect key presses intended for pages from other...

Hidden keyboard navigation can allow cross site scripting or code execution

When a user is interacting with a window, that window should be visible to the user, to ensure that the user realizes it is there. If a page is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can en...