lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 04 Feb 2015 14:43:20 +0800 From: David Leo <david.leo@...sen.co.uk> To: Joey Fowler <joey@...blr.com> CC: bugtraq@...urityfocus.com, fulldisclosure@...lists.org, bugs@...uritytracker.com, cve-assign@...re.org Subject: Re: [FD] Major Internet Explorer Vulnerability - NOT Patched Microsoft was notified on Oct 13, 2014. Joey thank you very much for your words. Kind Regards, On 2015/2/3 4:53, Joey Fowler wrote: > Hi David, > > "nice" is an understatement here. > > I've done some testing with this one and, while there /are/ quirks, it most definitely works. It even bypasses standard HTTP-to-HTTPS restrictions. > > As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is). > > It looks like, through this method, all viable XSS tactics are open! > > Nice find! > > Has this been reported to Microsoft outside (or within) this thread? > > -- > Joey Fowler > Senior Security Engineer, Tumblr > > > > On Sat, Jan 31, 2015 at 9:18 AM, David Leo <david.leo@...sen.co.uk <mailto:david.leo@...sen.co.uk>> wrote: > > Deusen just published code and description here: > http://www.deusen.co.uk/items/__insider3show.3362009741042107/ <http://www.deusen.co.uk/items/insider3show.3362009741042107/> > which demonstrates the serious security issue. > > Summary > An Internet Explorer vulnerability is shown here: > Content of dailymail.co.uk <http://dailymail.co.uk> can be changed by external domain. > > How To Use > 1. Close the popup window("confirm" dialog) after three seconds. > 2. Click "Go". > 3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk <http://dailymail.co.uk>. > > Technical Details > Vulnerability: Universal Cross Site Scripting(XSS) > Impact: Same Origin Policy(SOP) is completely bypassed > Attack: Attackers can steal anything from another domain, and inject anything into another domain > Tested: Jan/29/2015 Internet Explorer 11 Windows 7 > > If you like it, please reply "nice". > > Kind Regards, > > > _________________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/__listinfo/fulldisclosure <https://nmap.org/mailman/listinfo/fulldisclosure> > Web Archives & RSS: http://seclists.org/__fulldisclosure/ <http://seclists.org/fulldisclosure/> >
Powered by blists - more mailing lists