One more crasher? brrr.... (SecurityFocus]
Arioch /BDV/
Samples: http://lcamtuf.coredump.cx/mangleme/gallery/
About: http://www.securityfocus.com/archive/1/378632/2004-10-12/2004-10-18/0
:-(
Will we see 7.60 tp2 ? :-)
--
WinAMP://none: WinAMP is suffocated
http://Arioch.nm.ru/FL/Fidolook_SL.png
Mail: the)under(Arioch)at(nm)dot(ru ICQ: xmpp://ari...@jabber.ru
Steven V. Gunhouse
<the_A...@nm.False-Domain.ru> wrote:
> Hello, All!
>
> Samples: http://lcamtuf.coredump.cx/mangleme/gallery/
>
> About:
> http://www.securityfocus.com/archive/1/378632/2004-10-12/2004-10-18/0
>
> :-(
>
> Will we see 7.60 tp2 ? :-)
>
This CGI script has been discussed in opera.general, opera.beta and the
forums since Monday. While it's interesting, there are two key items here
...
1) the code it generates is complete nonsense, and hence shouldn't occur
"in the wild".
2) At the moment, it is not known that any of them are actually
exploitable. All you know is they crash Opera (or whichever browser), not
that they can be used to execute code. While crashes are not fun, it is
possible to crash "gracefully". Indeed the earlier PNG example would crash
Opera, but not in an exploitable fashion.
The discussion so far has been that of course programs shouldn't crash,
but at this point these examples seem less important for the two reasons
above. Something that is actually likely to be encountered or is
exploitable is more important.
And there will be a P2, when it's ready. This probably will have no impact
in that regard.
--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
Marek Mänd
> Hello, All!
> Samples: http://lcamtuf.coredump.cx/mangleme/gallery/
> About: http://www.securityfocus.com/archive/1/378632/2004-10-12/2004-10-18/0
> :-(
> Will we see 7.60 tp2 ? :-)
yes, as you ask for it, we hopefully will see this crash in 7.60 TP2 too :-)
Anyways, since the appearance of tabbed browsing in Opera4
FIVE years ago (marks also the advent of such an unpleasent ranter like
me beeing present in these NGs ;( ) I had always wondered about the
power of my little javascript crashing library back then, that I made
for fun from my own experiences (I didnt know about security builletains
back then) which consisted about browserdetection statements and related
if statemens, that would pick the right javascript crashing function to
be called from inside the generic crashIt function. I even BSODed Win95
completely using Microsoft DirectAnimation object with recursion ;D
<input type="button" onlick="crashIt()">
One of my favourites for Opera was
if(Object.toSource)k=1;
In my rants from ages dating back to 1999 or so I wanted to show how the
MDI is wrong, but probably nobody never read my messages because of my
expression of language of that time.
The MDI created a lot of fun and frustration, because of with
<script>if(Object.toSource)k=1;</script>
I was able to crash all your MDI browser from my home page,
even your opera email... And that on demand at cotrolled circumstances
by putting it into javascript function. The power wasnt about crashing
the browser window, but the annoyance that the new weakly managed MDI
created by crashing
ALL THE THING, THE SUITE (email, all MDI browsersessions)
PLUS
because back then Opera didnt had a startup dialog
and most of the users definately had "on launch restore all previous
windows" preference set, they ended up again back on my home page
what crashed the whole Opera again and caused a vicious circle.
The initial launching and featureset of the MDI wasnt thought good
throughoutly not at all.
There were much other issues I pointed out with MDI, but going offtopic
the most that amazes me is,
SO MANY YEARS LATER
ALMOST FIVE YEARS LATER AFTER THE ADVENT OF TABBED BROWSING IN OPERA
now some guys from Secunia
2004-10-20
http://secunia.com/multiple_browsers_dialog_box_spoofing_test/
Multiple Browsers Dialog Box Spoofing Vulnerability Test
find somehing as a security issue that I was worried and astonished
about all those years.
anyways for historical note
http://groups.google.com/groups?hl=et&lr=&ie=UTF-8&selm=9n5ptm%24dfa%241%40mail.opera.no
Opera5.0 wasnt a secure browser after all.
It allowed with a some javascript to upload any file you wanted from
your hard disk or corporate netwok mapped drives.
I assume we will start to see now more and more security issues of those
browsers other than MSIE, because of earlier there wasnt a point making
exploits for the browsers with marginal user base.
Arioch /BDV/
...while the fading voice of Marek whispered through the darkness:
MM> if(Object.toSource)k=1;
Ooh,,, that is not enough sadistic.
Much simplier and better is
for (;;) alert("Do You still think You can save the pages, You've open ?")
Yes, if one had opened another windows of Opera, then he can pull pages into
it using Windows Panel, but if he had not or is not so curious-minded?
Funny is that in earlier verions of Opera 7 (or Opera 6 i don't remember) it
was fixed - with every alert You could stop the script.
But later Opera Software again desided that de Sade was cool guy to follow
:-)
--
ICQ - xmpp://ari...@jabber.ru xmpp://9343...@icq.jabber.ru
http://Arioch.nm.ru/FL/Fidolook_SL.png Mail: the_Arioch<at>nm<dot>ru
Marek Mänd
> The stars so gaily glistened... (Mon, 25 Oct 2004 02:09:51 +0300 @6)
> MM> if(Object.toSource)k=1;
> Ooh,,, that is not enough sadistic.
as it crashed the Opera4 gen and maybe initial O5 too, it was.
> Much simplier and better is
> for (;;) alert("Do You still think You can save the pages, You've open ?")
That suffers from lack of class and is lame
When I created my library long forgotten, the intent was:
1) at any time I wish to crash the browser
I have one toplevel func avail that sorts out different
browsers for me. Very fine grained browserdetection based on
core JS bugs (like nnav3 not calculating toString(16) corrctly etc)
2) The codebase should not produce runtime errors in any of the
supported browsers it will loaded in via <script src="...
3) There should be no user interaction, user should not fullfill
requiremenst the script to work (e.c. press only the tilde key
(consecutive presses of dead keys crashed Netstcape4 - etc))
4) All these crashed are detected by myself, through my long
work at the field of expertise. Nothing borrowed from anybody.
And I crashed opera3.x, Opera4, Opera5, Netscape3, netscape4, Netscape6
mozillas and of coursre IE4,5,5.5,6. nBut I lost all the interest more 3
years ago. Initially I made this for my pokergame
http://my.tele2.ee/cadorsoft/netpjoker
(plasy with netcape4, but not with operas, becasue of at that time blah...)
and the idea was to crash the browser if player had gone out of credit. ;D
Yet another interesting thing I made for IE in year 2001 was
http://my.tele2.ee/cadorsoft/temp_jsthingies/cdr_js_techdoc_JSABC-coproduct-windowshitterer.htm
It has lost very much of its value, because of with the broader spread
win2000 etc the window focus thing got totally redone. And now there is
in times more material about programming available than the time I
started and scripopting isnt cosidered cool as on hard old die oldschool
nnav4 times. But on Win95,98,Me times it totally blocked the Windows,
even Task switching with ALT tab wasnt possible.
I remember even on some russian web forum (I dont read russian webpages,
just did a search to dind out what the url was to give it to othe
rperson for lookout) I was dedicated a thread and I was amused about
IIRC somebody saying "kleva" ;D
> Yes, if one had opened another windows of Opera, then he can pull pages
> into it using Windows Panel, but if he had not or is not so curious-minded?
> Funny is that in earlier verions of Opera 7 (or Opera 6 i don't
> remember) it was fixed - with every alert You could stop the script.
> But later Opera Software again desided that de Sade was cool guy to follow
Opera 6 intoduced the checkbox in the alert dialog boxes to break out
from the eternal alert windows massacre. Opera7 doesnt have it.
Anyways the Opera alertbox is broken badly anyway, it lets keyboad
events to the document, which it should not do. Watever. Nobody reas the
NG for issues ;D If one would look and search by my name the google
archive the years I have been around here, the QA would have enough
months to be busy ;D
--
marekmand
Tallinn, Estonia
No znaesh mudaki vydumali shto razve eto samyi odnoi iz nix.
A eto no i ne tak, smeshno shto s promptom i tak dalee eto i tozhe tak i
poidjot ;D So what for the checkbox stood for, I had no idea.
OmegaJunior
> Watever. Nobody reas the NG for issues ;D If one would look and search by my name the google archive the years I
> have been around here, the QA would have enough months to be busy ;D
Bull. Tim Altman and Rijk van Geitenbeek continuously read the news groups and provide the best support they have. I've even seen Hakom himself post here and there.
If you post your technical issues in the wrong place (i.e. the news groups instead of the bug tracking system), and then complain about lack of acknowledgement, you are the one with serious issues, not Opera SA.
--
Opera 7.54.3865 / Win2KPro / No Java
Arioch /BDV/
...while the fading voice of OmegaJunior whispered through the darkness:
O> If you post your technical issues in the wrong place (i.e. the news
O> groups instead of the bug tracking system), and then complain about lack
1) If only there was offline client for bug reporting, 'cause www-way is not
usable for dialup users...
2) At least bug about Forever Alert was filed a loooong ago!