[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200811171816.mAHIGMCt021206@www3.securityfocus.com>
Date: Mon, 17 Nov 2008 11:16:22 -0700
From: send9@...seclabs.com
To: bugtraq@...urityfocus.com
Subject: Opera 9.6x file:// overflow
Hello all -
I don't have time for a fancy advisory format, but I did want to disclose an issue.
Sometime in early October (late September?), around the time Opera 9.6 was released, I noticed that you could get it to crash after supplying the file:// handler with ~16,500 characters. I played around with it, but having very little memory corruption skillz I wasn't able to do much with it. I did, however, contact Opera through their web submission form.
Opera 9.61 was released in late October and still no fix. I contacted Opera using the e-mail address provided by the web form to follow up on the bug. Opera 9.62 then came out and still nothing.
I contacted Guido Landi aka k`sOSe to take a look. We determined that the file:// handler cannot be invoked from the Internet, but, it does work from a local HTML file. k`sOSe figured out that it was a heap overflow and was able to write a PoC for the bug: http://milw0rm.com/exploits/7135
Since Opera doesn't seem to care at all about this bug, I figured it was time to notify the public.
send9 <send9 [at] chiseclabs.com>
Powered by blists - more mailing lists