| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <410A5C81.7000606@raintreeinc.com> Date: Fri, 30 Jul 2004 07:34:41 -0700 From: Josh Tolley <josh@...ntreeinc.com> To: Rohit Dube <rohit@...tikalsolutions.com> Cc: bugtraq@...urityfocus.com Subject: Re: File downloads in Opera at known locations Rohit Dube wrote: > Hi, > This is just a question. While using opera, I observed that as soon as it > prompts you for file download, it simultaneously starts the download with > same file extension in its %USERPROFILE/application data/opera/cache. Even > if the user afterwards chooses cancel, this temporary file does not get > deleted. There are plenty of vulnerabilities that require you to know the location of a file. So if you know the value of %USERPROFILE (which is available to things like JScript, isn't it?) and can convince the user to download your file, this could probably be exploitable. I expect Opera's convinced it's not a bug because other browsers seem to do the same thing. I haven't done detailed investigation, but both IE and Mozilla FireFox seem to begin the download to a temp folder as soon as you click the link. I expect it's to make the download take less time from the user's point of view. I've noticed on several occasions that whatever progress indicator is used in the browser I'm using, it seems to start out not from the beginning, but somewhere in the middle, indicating that the browser already began downloading. Josh Tolley
Powered by blists - more mailing lists