FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

opera -- image dragging vulnerability

Affected packages
linux-opera < 8.02
opera < 8.02
opera-devel < 8.02


VuXML ID 934b1de4-00d7-11da-bc08-0001020eed82
Discovery 2005-07-28
Entry 2005-07-30
Modified 2006-06-08

A Secunia Advisory reports:

Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to conduct cross-site scripting attacks and retrieve a user's files.

The vulnerability is caused due to Opera allowing a user to drag e.g. an image, which is actually a "javascript:" URI, resulting in cross-site scripting if dropped over another site. This may also be used to populate a file upload form, resulting in uploading of arbitrary files to a malicious web site.

Successful exploitation requires that the user is tricked into dragging and dropping e.g. an image or a link.