Summary
Opera will execute command lines embedded in the URL when anotherprogram uses Opera to open a link. This affects UNIX versions ofOpera (Linux/FreeBSD/Solaris).
Severity: High
Problem description
Opera for UNIX uses a wrapper shell script to start up Opera.This shell script reads the input arguments, like the file namesor URLs that Opera is to open. It also performs some environmentchecks, for example whether Java is available and if so, where itis located.
This wrapper script can also run commands embedded in the URL,so that a specially crafted URL can make arbitrary commands runon the recipient’s machine. Users who have other programs setup to use Opera to open Web links are vulnerable to this flaw.For these users, clicking a Web link in for example OpenOffice.orgor Evolution can run a command that was put into the link.
Opera’s response
Opera has made a change to the wrapper script so that shellcommands fed to the script will no longer be executed.The updated wrapper script is included in Opera 8.51 whichwas released November 17, 2005.
Credits
Opera wishes to thank Secunia for bringing this issueto our attention.