Re: Re: Re: Re: Re: Re: Opera 9.6x file:// overflow

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Re: Re: Re: Re: Re: Opera 9.6x file:// overflow
From: send9@xxxxxxxxxxxxxx
Date: 20 Nov 2008 19:50:07 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

I don't mean to come off as a jerk here, but, most of the questions that have 
been asked were mentioned in the original message and in k`sOSe's code.

As I've said, Opera does not allow you to invoke the file:// handler from the 
Internet. I am not sure about Java applets, but JavaScript is the method used 
in the exploit code. We tried window.open() and window.location but neither 
allow it work. If you can get it to work, please let us know!

As far people that said "it worked" when a new tab opens with an error -- no, 
it did not work. It "works" when it the browser crashes, or ideally, calc.exe 
opens. I feel like Opera silently fixed this, but I don't have the time to 
figure it out right now.

Please, take the time to read the original message a little closer and review 
the PoC. I realize that it doesn't answer all questions, but it will answer a 
lot that have been asked here! :)

send9

Prev by Date: Re: Cpanel 11.x Local File Inclusion & Cross Site Scripting - Discovered By Khashayar Fereidani
Next by Date: [ MDVSA-2008:233 ] libcdaudio
Previous by thread: Re: Re: Re: Re: Re: Opera 9.6x file:// overflow
Next by thread: Exodus v0.10 uri handler arbitrary parameter injection
Index(es):
- Date
- Thread