Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | Opera MIME Types Let Remote Users Place Arbitrary Files in Certain Directories on the Target System |
|---|
Categorie: Vulnerability
Posted: 2003-11-13 by ReCall
Views: 365
Source: Click here
| Current Rating: Not rated
|
| | Details |
|---|
Description: A vulnerability was reported in the Opera web browser. A remote user can create HTML that, when loaded by the target user, will write arbitrary files to certain known directories on the target user's system.
It is reported that there is a flaw in the processing of Opera-specific MIME types, including browser skin and browser configuration MIME types. A remote user can cause a file with an arbitrary file name and arbitrary file contents to be written to the target user's system in a known location. As a result, the remote user can cause scripts to be executed with higher privileges, allowing the remote user to view directory contents and files on the target user's system.
The affected MIME types are:
application/x-opera-skin
application/x-opera-configu ration-skin
application/x-opera-configuration-keyboard
application/x-opera-configuration-mouse
application/x-opera-configuration-menu
application/x-opera-configuratio n-toolbar
The "application/x-opera-skin" MIME type reportedly will download files (that are ostensibly skin files, but can be any file) to the following location without requesting confirmation from the target user:
C:Program FilesOpera7profileSkin
The "application/x-opera-configuration-skin" MIME type allows a remote user to place a file in the "C:Program FilesOpera7profileskin" directory.
The "application/x-opera-configuration-keyboard" MIME type allows a remote user to place a file in the "C:Program FilesOpera7profilekeyboard" directory.
The "application/x-opera-configuration-mouse" MIME type allows a remote user to place a file in the "C:Program FilesOpera7profilemouse" directory.
The "application/x-opera-configuration-menu" MIEM type allows a remote user to place a file in the "C:Program FilesOpera7profilemenu" directory.
Finally, the "application/x-opera-configuration-toolbar" MIME type allows a remote user to place a file in the "C:Program FilesOpera7profiletoolbar" directory.
Impact: A remote user can place a file with arbitrary contents and an arbitrary file name in certain directories on the target user's system. In turn, this allows the remote user to execute scripting code in the local system domain.
Solution: The vendor has released a fixed version (7.22),available at:
http://www.opera.com/download/
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=533
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
