Description: A vulnerability was reported in Opera in the processing of the 'location' object. A remote user can gain read access to the target user's file system.
GreyMagic Software reported that a remote user can create HTML that, when loaded by the target user, will be able to read files on the target user's system or run in the context of a remote domain.
This is achieved by loading HTML code that invokes a method within the vulnerable 'location' object and then replacing or overwriting a function with arbitrary scripting code. HTML code on the target user's file system or on remote web sites can be exploited.
To gain read access to files on the target user's system, the remote user can load an HTML file from a known location on the target user's system and then overwrite a method within that file.
The vendor was reportedly notified on July 22, 2004.
Some demonstration exploits and the original advisory are available at:
http://www.greymagic.com/security/advisories/gm008-op/
Impact: A remote user can access a target user's file system.
Solution: The vendor has released a fixed version (7.54), available at:
http://www.opera.com/download/