Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20885
HistoryNov 19, 2008 - 12:00 a.m.

Opera 9.6x file:// overflow

2008-11-1900:00:00
vulners.com
8
JSON

Hello all -

I don't have time for a fancy advisory format, but I did want to disclose an issue.

Sometime in early October (late September?), around the time Opera 9.6 was released, I noticed that
you could get it to crash after supplying the file:// handler with ~16,500 characters. I played
around with it, but having very little memory corruption skillz I wasn't able to do much with it. I
did, however, contact Opera through their web submission form.

Opera 9.61 was released in late October and still no fix. I contacted Opera using the e-mail address
provided by the web form to follow up on the bug. Opera 9.62 then came out and still nothing.

I contacted Guido Landi aka k`sOSe to take a look. We determined that the file:// handler cannot be
invoked from the Internet, but, it does work from a local HTML file. k`sOSe figured out that it was a
heap overflow and was able to write a PoC for the bug: http://milw0rm.com/exploits/7135

Since Opera doesn't seem to care at all about this bug, I figured it was time to notify the public.

send9 <send9 [at] chiseclabs.com>

JSON