CERT-In Vulnerability Note CIVN-2008-150
Opera Web Browser Unicode Whitespace Cross-Site Scripting Vulnerability
Original Issue Date:October 06, 2008
Severity Rating:
High
Systems Affected
- Opera versions prior to 9.52
Overview
A vulnerability has been reported in Opera Web Browser, which can facilitate cross-site scripting attacks.
Description
The vulnerability is caused due to certain Unicode characters were being interpreted as white space.
The Unicode specification assigns binary property meta-data to code points, one of which is the 'white-space' property. In Opera almost any character with a Unicode white-space property can be used to represent a normal white-space character.
A remote attacker could exploit this vulnerability to enable cross-site scripting (XSS) attacks. Exploiting this issue would also be useful to evade HTML filters, WAFs, or other detection systems which try to prevent XSS attacks.
Solution
Upgrade to Opera version 9.52
http://www.opera.com/download/
Vendor Information
Opera
http://www.opera.com/docs/changelogs/windows/952/
http://www.opera.com/docs/changelogs/solaris/952/
http://www.opera.com/docs/changelogs/linux/952/
References
SecurityFocus
http://www.securityfocus.com/bid/31183
SecuriTeam
http://www.securiteam.com/securitynews/5JP0E1PPFW.html
Lookout
http://lookout.net/2008/08/26/advisory-attack-of-the-mongolian-space
-evaders-and-other-medieval-xss-vectors/
CVE Name
CVE-2008-4196
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
