|
Hello all -
I don't have time for a fancy advisory format, but I did want to disclose an issue.
Sometime in early October (late September?), around the time Opera 9.6 was released, I noticed that
you could get it to crash after supplying the file:// handler with ~16,500 characters. I played
around with it, but having very little memory corruption skillz I wasn't able to do much with it. I
did, however, contact Opera through their web submission form.
Opera 9.61 was released in late October and still no fix. I contacted Opera using the e-mail address
provided by the web form to follow up on the bug. Opera 9.62 then came out and still nothing.
I contacted Guido Landi aka k`sOSe to take a look. We determined that the file:// handler cannot be
invoked from the Internet, but, it does work from a local HTML file. k`sOSe figured out that it was a
heap overflow and was able to write a PoC for the bug: http://milw0rm.com/exploits/7135
Since Opera doesn't seem to care at all about this bug, I figured it was time to notify the public.
send9 <send9 [at] chiseclabs.com>
|
