[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: File downloads in Opera at known locations

To: Rohit Dube <rohit@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: File downloads in Opera at known locations
From: Josh Tolley <josh@xxxxxxxxxxxxxxx>
Date: Fri, 30 Jul 2004 07:34:41 -0700

Rohit Dube wrote:

Hi, This is just a question. While using opera, I observed that as soon as it prompts you for file download, it simultaneously starts the download with same file extension in its %USERPROFILE/application data/opera/cache. Even if the user afterwards chooses cancel, this temporary file does not get deleted.

There are plenty of vulnerabilities that require you to know the location of a file. So if you know the value of %USERPROFILE (which is available to things like JScript, isn't it?) and can convince the user to download your file, this could probably be exploitable.

I expect Opera's convinced it's not a bug because other browsers seem to do the same thing. I haven't done detailed investigation, but both IE and Mozilla FireFox seem to begin the download to a temp folder as soon as you click the link. I expect it's to make the download take less time from the user's point of view. I've noticed on several occasions that whatever progress indicator is used in the browser I'm using, it seems to start out not from the beginning, but somewhere in the middle, indicating that the browser already began downloading.

Josh Tolley

References:
- File downloads in Opera at known locations
  - From: Rohit Dube

Prev by Date: Citadel/UX Remote DoS Vulnerability
Next by Date: WpQuiz Gain Admin Rightd Exploit found
Previous by thread: File downloads in Opera at known locations
Next by thread: Jaws 0.4: authentication bypass
Index(es):
- Date
- Thread