Reported November 20, 2003, by ::Operash::.

 

 

VERSIONS AFFECTED

 

  • Opera 7.22 for Windows and earlier

 

DESCRIPTION

 

A newly discovered vulnerability in Opera for Windows can result in the arbitrary download of code to a path of an attacker’s choosing on the vulnerable system. This vulnerability is a result of the browser’s auto-install function, which executes when Opera receives an arbitrary file that contains the MIME-type "application/x-opera-configuration-XXXXX" or "application/x-opera-skin" from a remote server. Because the automatically saved file's name isn’t sufficiently sanitized, an attacker can save the file in any directory that he or she can specify with a relative path when the filename contains the illegal character string “..%5C.”
 

DEMONSTRATION

<span style="font-family:Verdana"> </h3> <span style="font-family:Verdana">The discoverer has posted sample code demonstrating this vulnerability at this <a href="http://opera.rainyblue.org/adv/opera06-autosaved-en.php" style="color: blue; text-decoration: underline; text-underline: single">web site</a>.</h3> <span style="font-family:Verdana"> </h3>

VENDOR RESPONSE

<span style="font-family:Verdana"> </h3> <span style="font-family:Verdana"><a href="http://www.opera.com/" style="color: blue; text-decoration: underline; text-underline: single">Opera</a> has released version 7.23, which isn’t vulnerable to this problem.</h3>

 

CREDIT

 

Discovered by :: Operash ::.