Data URLs with executables and misleading download dialog – Opera Security Advisories

Severity: Moderate

Summary

A data URL (RCF 2397) containing an executable file maycause Opera to mislead the user. Opera’s download dialogwill in some cases say “Open with NOTEPAD.EXE”. Butclicking “Open” will run the executable.

Problem description

 

The data URL scheme allows authors to embed binary files,instead of using links to external files. Data URLscontaining file types that Opera can display are renderedinline; other file types will be handled by Opera’sdownload dialog.

 

A bug in Opera’s file download handling causes the downloaddialog to give wrong information to the user when a data URLwith an executable file is loaded. In some cases, it willtell the user that the file will be opened with NOTEPAD.EXE.Although this is not usual (Opera opens text/plain itself bydefault) the user would reasonably expect that the file wasa text file, since NOTEPAD.EXE is a text editor. But whenthe user clicks “Open”, the file is executed.

Opera’s response

 

Opera has released a security upgrade, Opera 7.54u2.The download dialog now displays the correct file nameafter “Open with”.

Additionally, Opera for Microsoft Windows displays ayellow triangle with an exclamation mark in it.

 

Reference

 

Advisory on secunia.com: Opera “data:” URI Handler Spoofing Vulnerability