Opera Memory Error in Processing Long HREF Tags Lets Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1016359 |
|
SecurityTracker URL: http://securitytracker.com/id/1016359
|
|
CVE Reference:
CVE-2006-3199
(Links to External Site)
|
Updated: Sep 17 2008
|
Original Entry Date: Jun 22 2006
|
Impact:
Denial of service via network
|
Exploit Included: Yes
|
Version(s): 9.0
|
Description:
A vulnerability was reported in Opera. A remote user can cause denial of service conditions.
A remote user can create HTML with a specially crafted HREF tag. When the HTML is loaded by the target user, the target user's browser will crash.
A demonstration exploit is available at:
http://www.critical.lt/research/opera_die_happy.html
The original advisory is available at:
http://www.critical.lt/?vuln/349
Povilas Tumenas a.k.a. N9 discovered this vulnerability.
|
Impact:
A remote user can cause denial of service conditions.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.opera.com/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 21 Jun 2006 03:39:09 +0000
Subject: Opera 9 DoS PoC
|
Critical Security advisory #009 [http://www.critical.lt]
Advisory can be reached: http://www.critical.lt/?vuln/349
We are: N9, bigb0u, cybergoth, iglOo, mircia, Povilas
Shouts to Lithuanian girlz! and our friends ;]
Product: Opera 9 (8.x is immune to this)
Vuln type: Denial of Service
Risk: moderated
Attack type: Remote
Details:
Vulnerability can be exploited by using a large value in a href tag to create an out-of-bounds memory access.
Proof Of Concept DoS exploit:
http://www.critical.lt/research/opera_die_happy.html
Research was originaly done by Povilas Tumėnas a.k.a. N9
P.S. To Opera Team, we like your browser and want it to be as good as possible.
|
|
