J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: Opera Relative Path Directory Traversal File Corruption Vulnerability

Severity: MODERATE

Description:

Opera is prone to a file corruption vulnerability. This issue is exposed when a user is presented with a file dialog, which will cause the creation of a temporary file. For example, if the user was prompted to download FILENAME.ext, then the following temporary file would be created:

"c:\windows\temp\FILXXX.tmp.FILENAME.ext"

(where XXX is a random value)

However, it is possible to specify a relative path to another file on the system using directory traversal sequences when the download dialog is displayed. For example, if the user was prompted to download a filename that contained '%5C..' sequences that form a relative path to another system file, then that file would be corrupted. This would only be possible if the user had write permissions to the attacker-specified file.

This could be exploited to delete sensitive files on the systems. It has been reported that an attacker may harness Opera auto-install functionality (Certain MIME-types are opened with Opera) for Skin Files and Configuration Files to further exploit this vulnerability. This method may enable an attacker to write an arbitrary file to, for example, the Windows startup folder without requiring user intervention. The malicious file would be executed when the system is restarted.

This issue was reported in Opera for Windows platforms. It is not known whether other platforms are also affected.

Affected Products:

  • Opera Software Opera Web Browser 7.0.0 1win32
  • Opera Software Opera Web Browser 7.0.0 2win32
  • Opera Software Opera Web Browser 7.0.0 3win32
  • Opera Software Opera Web Browser 7.0.0 win32
  • Opera Software Opera Web Browser 7.0.0 win32 Beta 1
  • Opera Software Opera Web Browser 7.0.0 win32 Beta 2
  • Opera Software Opera Web Browser 7.10.0
  • Opera Software Opera Web Browser 7.11.0
  • Opera Software Opera Web Browser 7.11.0 b
  • Opera Software Opera Web Browser 7.11.0 j
  • Opera Software Opera Web Browser 7.20.0
  • Opera Software Opera Web Browser 7.20.0 Beta 1 build 2981
  • Opera Software Opera Web Browser 7.21.0
  • Opera Software Opera Web Browser 7.22.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.