lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANVo5XwUMsV8i3ejhXCjPUw1BC-y8PpVG7ytS5rMrCnRPpAzFw@mail.gmail.com>
Date: Mon, 2 Feb 2015 15:53:10 -0500
From: Joey Fowler <joey@...blr.com>
To: David Leo <david.leo@...sen.co.uk>
Cc: fulldisclosure@...lists.org, bugs@...uritytracker.com,
	bugtraq@...urityfocus.com, cve-assign@...re.org
Subject: Re: [FD] Major Internet Explorer Vulnerability - NOT Patched

Hi David,

"nice" is an understatement here.

I've done some testing with this one and, while there *are* quirks, it most
definitely works. It even bypasses standard HTTP-to-HTTPS restrictions.

As long as the page(s) being framed don't contain X-Frame-Options headers
(with `deny` or `same-origin` values), it executes successfully. Pending
the payload being injected, most Content Security Policies are also
bypassed (by injecting HTML instead of JavaScript, that is).

It looks like, through this method, all viable XSS tactics are open!

Nice find!

Has this been reported to Microsoft outside (or within) this thread?

--
Joey Fowler
Senior Security Engineer, Tumblr



On Sat, Jan 31, 2015 at 9:18 AM, David Leo <david.leo@...sen.co.uk> wrote:

> Deusen just published code and description here:
> http://www.deusen.co.uk/items/insider3show.3362009741042107/
> which demonstrates the serious security issue.
>
> Summary
> An Internet Explorer vulnerability is shown here:
> Content of dailymail.co.uk can be changed by external domain.
>
> How To Use
> 1. Close the popup window("confirm" dialog) after three seconds.
> 2. Click "Go".
> 3. After 7 seconds, "Hacked by Deusen" is actively injected into
> dailymail.co.uk.
>
> Technical Details
> Vulnerability: Universal Cross Site Scripting(XSS)
> Impact: Same Origin Policy(SOP) is completely bypassed
> Attack: Attackers can steal anything from another domain, and inject
> anything into another domain
> Tested: Jan/29/2015 Internet Explorer 11 Windows 7
>
> If you like it, please reply "nice".
>
> Kind Regards,
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists