Version 10 of Opera’s web browser, which is currently in alpha, includes a feature called Opera-Unite. Opera-Unite is a web server included with the Opera web browser. This sounds like it is going to be a security nightmare.
From the Opera Unite Website (unite.opera.com):
Opera Unite Allows You to Easily Share Your Data … you can even run chat rooms and host entire web sites.
Opera Unite works behind firewalls and network address translation devices through the Opera Unite Proxy. (http://dev.opera.com/articles/view/opera-unite-developer-primer/)
Which means that even if you’ve got a firewall in place, unless you specifically tailor your policies, users on your internal network that have the Opera browser installed can run web servers off their desktop PCs that are available through Opera Unite to hosts on the Internet.
What is even more scary is that once a user with admin privileges has installed Opera 10 on a Windows 7 computer and configured a firewall rule to allow Opera.exe, a user with standard privileges can set up their own website that is available to the Internet. They don’t need to elevate privileges, they just need to be able to run Opera.
When running Opera 10 with Opera Unite (which can be enabled by a standard user), a standard user can make directories publically available to the Internet even if they are behind NAT and an external firewall. I tested this by installing Opera 10 and enabling on a VM that was running behind my NAT firewall. Before Opera-Unite would function, it did require a firewall rule be added for Opera.exe, though it wasn’t clear that this would enable web server functionality. I then ran Opera as a standard user and was able to activate Opera Unite and configure a public web server, able to share any directory with the Internet that I had access to.
At a minimum before this goes gold, Opera should ensure that you cannot turn on Opera Unite without elevating privileges.
Register
ebraiter June 23, 2009 (Article Rating: