Date: Dec 12 2003
Impact: Modification of system information, Modification of user information
Fix Available: Yes Exploit Included: Yes
Version(s): 7.22 and prior 7.x versions
Description: A vulnerability was reported in the Opera web browser. A remote user can cause arbitrary files to be deleted in certain cases.
':: Operash ::' reported that when the browser displays a download dialog, the browser creates a temporary file in the temporary directory based on the name of the file to be downloaded. The browser reportedly does not validate the filename, so a filename can contain the '..%5C' directory traversal characters. As a result, a remote user can create a specially crafted file name as part of a URL to cause files on the target user's system to be overwritten and then deleted when the target user loads the URL and receives the download dialog. Only files that the target user has write permissions for can be deleted.
A demonstration exploit filename that will cause c:\windows\calc.exe to be deleted is provided.
The following notification timeline is provided:
2003-10-09 Discovered this vulnerability.
2003-11-26 Reported to vendor.
2003-12-12 Released this advisory.
The vendor has reportedly not responded.
Impact: A remote user can cause an arbitrary file on the target user's computer to be deleted with the permissions of the target user when the target user attempts to download a specially crafted filename (even if the file is not actually downloaded).
Solution: The author reports that version 7.23 build 3227 (JP:build 3226) is not vulnerable.
Vendor URL: www.opera.com/
Cause: Input validation error
Underlying OS: Windows (Any)
Reported By: ":: Operash ::"
--
Donna
Online Security Tools

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic