Opera FTP View Cross-Scripting Flaw

Discussion in 'other security issues & news' started by Paul Wilders, Aug 8, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Author:
    Eiji James Yoshida [ptrs-ejy@bp.iij4u.or.jp]

    Risk:
    Medium

    Vulnerable:
    Windows2000 SP2 Opera 6.03
    Windows2000 SP2 Opera 6.04


    Overview:
    Opera allows running Malicious Scripts due to a bug in 'FTP view'.
    If you click on a malicious link, the script embedded in URL will run.

    Details:
    This problem is in 'FTP view'.
    The '<title>URL</title>' is not escaped.

    Exploit code:
    deleted - Forum Admin

    Example:
    deleted - Forum Admin

    Demonstration:
    www.geocities.co.jp/SiliconValley/1667/advisory04e.html

    Workaround:
    Disable JavaScript.

    Vendor status:
    Opera Software ASA was notified on 30 June 2002.

    -------

    source: bugtraq
     
Loading...
Thread Status:
Not open for further replies.