Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Local File IFRAME Error Response Lets Remote Users Determine if Files or Directories Exist
SecurityTracker Alert ID:  1010966
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 17 2004
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Tested on 7.52 and 7.53
Description:   A vulnerability was reported in Opera. A remote user can create HTML code that, when loaded by the target user, can determine whether specified files or directories exist on the target user's system.

GreyMagic Software reported that when a non-existent file or directory is assigned to an iframe, the browser will generate an error. A remote user can create HTML code that loads an iframe and changes the iframe URL to a local file or directory and then detects whether an error was thrown to determine if the local file or directory exists or not.

A demonstration exploit example to determine whether the 'c:/winnt' directory exists or not is provided:

<iframe src="blank.html"></iframe>
<script type="text/javascript">
onload=function () {
var sLocal="c:/winnt";
function () {
try {
alert(sLocal+" does not exists.");
} catch (oErr) {
alert(sLocal+" exists.");

The original advisory is available at:

Impact:   A remote user can determine whether specified files or directories exist on the target user's system.
Solution:   The vendor has released a fixed version (7.54), available at:

Vendor URL: (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (macOS/OS X), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-Disclosure] Opera Local File/Directory Detection (GM#009-OP)

GreyMagic Security Advisory GM#009-OP

By GreyMagic Software, 17 Aug 2004.

Available in HTML format at

Topic: Opera Local File/Directory Detection.

Discovery date: 04 Aug 2004.

Affected applications:

Opera 7.53 and prior on Windows, Linux and Mac. 


While working on a proof-of-concept exploit for the previous Opera advisory
[1] we needed to find a way to detect the victim's system root directory, in
order to locate a specific resource that's required for exploitation. 



After a bit of investigation, we found that we can easily determine whether
a directory (or file) exists or not. 

When a non-existent file or directory is assigned to an iframe, an error is
thrown to the user and the actual location of the iframe does not change. 

This situation can easily be detected by an attacker using an accessible
iframe (within the same domain). By changing its URL to the location of a
file or directory and then checking whether an error is thrown when trying
to access its DOM, the attacker can determine whether the resource exists.


The following sample code determines whether the directory "c:/winnt"

<iframe src="blank.html"></iframe>
<script type="text/javascript">
onload=function () {

An attacker is likely to run this against a group of directories in order to
find the right one or determine whether specific programs are installed. 


Proof-of-concept demonstrations of this issue can be found in our previous
Opera advisory, at 


Update to Opera 7.54.

One of the changes in Opera 7.54 was to completely block access to the
file:// protocol from non-local URLs. That change also happens to protect
against this vulnerability. 

Tested on: 

Opera 7.52.
Opera 7.53.


The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind. 

GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory. 

Full-Disclosure - We believe in it.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC