what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Nov 25, 2003
Authored by Jouko Pynnonen | Site klikki.fi

Two vulnerabilities were found in the Opera web browser versions up to 7.22. Both are related to skin files, with one being a directory traversal attack that allows an attacker to upload a file to a victim's machine while the other is a buffer overflow in the skin file handling.

tags | advisory, web, overflow, vulnerability
SHA-256 | 1fe7a3b278a5f299a11bc53c79e45f6df58c6100dbd0c6ca31456d8ee6312569


Change Mirror Download

Two vulnerabilities were found in the Opera web browser versions up to
7.22. They are related to skin files. The first one is a directory
traversal problem which allows an attacker to upload a file to an
arbitrary location on the victim system. The second is a buffer
overflow in skin file handling. A new version, 7.23, was released to
address the issues.


Opera automatically downloads skin files which have the MIME type
application/x-opera-skin. They are normally placed in
%USERPROFILE%\Application Data\Opera\Opera7\profile\Skin.

On November 12th S.G. Masood reported that a file of any type can be
dropped to Opera's default folders. This was fixed in Opera 7.22. After
the fix, only zip files are accepted. My further research revealed that
a directory traversal attack allows skin files to be uploaded to
arbitrary locations on the victim system.

When a skin file is downloaded, the resulting file name is determined
by the Content-disposition HTTP header, or if it isn't supplied, the
URL. In the latter case the last element of the URL is the filename
which Opera uses. An attacker may however use an URL ending with
hex-encoded backslashes, ie. "..%5c..%5c..%5c" to get out of Opera's
folder hierarchy. For instance, a skin file fetched from an URL like


would be downloaded to C:\ under a typical Windows installation.

As the browser doesn't accept just any file after the 7.22 update,
exploiting the issue becomes slightly more difficult. The file format
must pass some checks to assure Opera of it being a real zip file. The
file extension can be chosen arbitrarily by the attacker.

One exploit scenario is to place a zip-like file in the victim user's
Startup folder. The file extension determines how it will be opened by
Windows. E.g. if the file name ends with ".bat", it will be opened as a
batch file. It's relatively easy to create a file which passes the
check as zip file but also works when opened as a batch file. Due to
the zip file signature and other binary data it will produce some error
messages but nevertheless command lines contained in the file will be
executed. In this way an attacker can get access to the system with the
privileges of the current user.

Locating the Startup folder isn't a problem because Opera's skin folder
is below the %USREPROFILE% folder, and pointing to the startup folder
with a relative path is easy.

The zip processing code also contains a buffer overflow which I found
while testing the abovementioned vulnerability. If a valid zip file
contains extra data after the zip data, a buffer overflow occurs. An
attacker may control contents of some registers including EIP, so this
buffer overflow seems exploitable, although I didn't produce an

In order to be exploited, these vulnerabilities require the victim to
visit a web page created by a malicious user. An iframe tag may be used
to automatically open a skin file.

The directory traversal problem doesn't exist on Linux because "\" isn't
a directory separator. Other versions weren't tested. The buffer
overflow can be produced on Linux, too.

Operash (http://opera.rainyblue.org) has found the directory traversal
issue independantly. According to their advisory, also some other MIME
types can be used, which of some don't have the zip file format


The vendor was notified on November 12, 2003 and a new version of Opera
was released on November 21st. It can be downloaded at



The vulnerabilities were discovered by Jouko Pynnönen, Finland.

Jouko Pynnönen Web: http://iki.fi/jouko/
jouko@iki.fi GSM: +358 41 5504555
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By