Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera MIME Types Let Remote Users Place Arbitrary Files in Certain Directories on the Target System
SecurityTracker Alert ID:  1008154
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 12 2003
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.21
Description:   A vulnerability was reported in the Opera web browser. A remote user can create HTML that, when loaded by the target user, will write arbitrary files to certain known directories on the target user's system.

It is reported that there is a flaw in the processing of Opera-specific MIME types, including browser skin and browser configuration MIME types. A remote user can cause a file with an arbitrary file name and arbitrary file contents to be written to the target user's system in a known location. As a result, the remote user can cause scripts to be executed with higher privileges, allowing the remote user to view directory contents and files on the target user's system.

The affected MIME types are:


The "application/x-opera-skin" MIME type reportedly will download files (that are ostensibly skin files, but can be any file) to the following location without requesting confirmation from the target user:

C:\Program Files\Opera7\profile\Skin\<filename.ext>

The "application/x-opera-configuration-skin" MIME type allows a remote user to place a file in the "C:\Program Files\Opera7\profile\skin" directory.

The "application/x-opera-configuration-keyboard" MIME type allows a remote user to place a file in the "C:\Program Files\Opera7\profile\keyboard" directory.

The "application/x-opera-configuration-mouse" MIME type allows a remote user to place a file in the "C:\Program Files\Opera7\profile\mouse" directory.

The "application/x-opera-configuration-menu" MIEM type allows a remote user to place a file in the "C:\Program Files\Opera7\profile\menu" directory.

Finally, the "application/x-opera-configuration-toolbar" MIME type allows a remote user to place a file in the "C:\Program Files\Opera7\profile\toolbar" directory.

Impact:   A remote user can place a file with arbitrary contents and an arbitrary file name in certain directories on the target user's system. In turn, this allows the remote user to execute scripting code in the local system domain.
Solution:   The vendor has released a fixed version (7.22),available at:

Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-Disclosure] Opera Skinned : Arbitrary File Dropping And Execution (Advisory)

Opera Skinned : Arbitrary File Dropping And Execution


Like other browsers, Opera Web Browser supports many
standard MIME types and also a few 

Opera-specific MIME types. Of the Opera-specific
types, the implementation of the various browser 

skin and browser configuration MIME types(listed
below) has a design flaw that allows the remote 

dropping of an arbitrary file with an arbitrary name
and type in a known location. This is 

triggered when the victim accesses a URL.

Exploitation becomes easier when this vulnerability is
combined with the other "Directory 

Traversal" vulnerability described in the attached


All versions  upto and including 7.21 that support the
flawed MIME types are vulnerable. Version 

7.22 contains the fix.


By using this flaw, an attacker may:

i. Drop arbitrary files with arbitrary names on a
victim's hard disk.
ii. Run scripts with higher privileges.
iii. Read the contents of the directories on a
victim's hard disk.
iv. Read any file.
v. Read M2 emails (Built-in Opera mail client).


We will consider the "application/x-opera-skin" MIME
type first for the sake of clarity. The 

issues are the same for the other five flawed MIME
types. Their specifics are mentioned in a 

later section below.

1. Skinning Opera with "application/x-opera-skin":

According to the functionality that Opera provides, a
user can install a new skin just by 

clicking on a link. Opera automatically downloads and
applies the skin without confirmation from 

the user. For this to work, the MIME type of the skin
file has to be set to 

"application/x-opera-skin" on the web server. The file
type of an Opera skin file is "*.zip". The 

Opera skin file specification [2] says-


"An Opera 7 skin file is a zipped file with extension
.zip that contains a "skin.ini" file at 

root level and a bunch of images making up the skin. 
The "skin.ini" file contains the whole skin
specification. All other files in the zip file are 

pointed to by the specification in "skin.ini"."   [2] 


Skins files are downloaded to "C:\Program
Files\Opera7\profile\Skin\<filename.ext>" (if the 

install directory is "C:\Program Files\Opera7\". It is
*not* necessary for a remote attacker to 

know the install path of Opera for exploitation.)

Skin files that do not have "*.zip" extensions but are
valid skin files are automatically 

downloaded and applied by Opera if the correct MIME is
set on the httpd. They are downloaded to 

the default skin file folder. However, these skins are
not shown in the "file>preferences>skin" 

menu. Only skins with "*.zip" ext., are shown in the

The security problem here is that even invalid,
corrupt skin files with any extension (including 

exe,com, et al) are downloaded to the default skin
file location. The victim doesn't necessarily 

have to know that he is downloading a skin. He just
clicks a malicious link and he is given a 

harmless looking dialog box prompt saying that the
skin file is incompatible with the current 

version of Opera *after the file is downloaded*. User
may click "OK" or "CANCEL" but it has no 

effect on the download behaviour. The file is still
present in the skin file folder and it is not 


This means that an attacker can comfortably drop an
arbitrary file with an arbitrary name & type 

on a victims hard disk in a known location by making
him access a simple, not-specially crafted 

URL. Using an exploitation method detailed elsewhere,
the arbitrary file can be executed.

For instance, if a victim clicks on a link where the MIME type of 

foobar.exe is set as "application/x-opera-skin",
foobar.exe is downloaded automatically to the 

skin file folder. The name foobar.exe is preserved.
So, for a default install of Opera, the file 

is dropped in and as "C:\Program

2. Other flawed MIME types:

Other than the folder location where the file will be
dropped and the file type associated with 

the MIME type, all the details are the same as the
skin MIME detailed above for the MIME types 

listed below. The file type associated with a MIME
type does not hinder the dropping of files of 

other types as shown above. It is just presented here
as useful information.

For all the MIME types below, the locations for a
default install are given. However, a default 

install is not necessary for exploitation.

i."application/x-opera-skin" - Detailed above

ii."application/x-opera-configuration-skin" - File is
dropped in C:\Program 


iii."application/x-opera-configuration-keyboard" -
File is dropped in C:\Program 

Files\Opera7\profile\keyboard. The file type
associated is "*.ini".

iv."application/x-opera-configuration-mouse" - File is
dropped in C:\Program 

Files\Opera7\profile\mouse. The file type associated
is "*.ini".

v."application/x-opera-configuration-menu" - File is
dropped in C:\Program 

Files\Opera7\profile\menu. The file type associated is

vi."application/x-opera-configuration-toolbar - File
is dropped in C:\Program 

Files\Opera7\profile\toolbar. The file type associated
is "*.ini".

About these MIME types, Opera's documentation says-


"If the server returns content-type
"application/x-opera-configuration-menu" or 

"application/x-opera-configuration-keyboard" or
"application/x-opera-configuration-mouse" and the 

file has the "ini" extension, Opera will download and
install the menu, keyboard or mouse 

gestures setup directly" [3]



According to my investigation, files can only be
dropped in the default folders mentioned above. 

Using directory traversal techniques to drop the file
in other locations does not seem to be 


Although any file can be dropped on a victim's
computer, the highest compromise that can be 

accomplished seems to be the running of scripts with
higher privileges. Files other than the file 

types handled by Opera cannot be executed. This means
file types like exe, bat, etc., cannot be 

executed although they may be dropped and file types
like html, txt, gif, etc., can be executed. 

Nevertheless, the executable files dropped using this
vulnerability can be executed by using 

other vulnerabilities(possibly in other software).

This flaw can be exploited alone but, if Opera is not
installed in the default path, a 'blind' 

exploit will not work. Nevertheless, when this flaw is
combined with the Directory Traversal 

vulnerability (detailed in the advisory "Opera Web
Browser Directory Traversal in Internal URI 

Protocol" published by me, attached to this one),
'blind' exploitation, i.e., exploitation 

without knowledge of the install path becomes

A proof of concept exploit is attached with this


The vendor, Opera Software, deserves special mention
here. I had previously read about Opera 

Soft's promptness in resolving security
vulnerabilities in their products. My experience with 

them is one of the best I ever had with any vendor. I
hope they continue to maintain their good 

record even with future security issues.

An updated version with a fix (7.22) is available from
the site -


S.G.Masood (



This advisory is meant only for the dissemination of
information, alerting the general public 

about a security issue. Use this information at your
own discretion.

In brief, the author is not responsible for any use,
misuse, abuse of this information. Also, 

this information is provided "as is" without any
warranty of any kind. 



Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard

Full-Disclosure - We believe in it.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC