Bugtraq mailing list archives

Major Internet Explorer Vulnerability - NOT Patched

From: David Leo <david.leo () deusen co uk>
Date: Sat, 31 Jan 2015 22:18:41 +0800

Deusen just published code and description here:
http://www.deusen.co.uk/items/insider3show.3362009741042107/
which demonstrates the serious security issue.

Summary
An Internet Explorer vulnerability is shown here:
Content of dailymail.co.uk can be changed by external domain.

How To Use
1. Close the popup window("confirm" dialog) after three seconds.
2. Click "Go".
3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk.

Technical Details
Vulnerability: Universal Cross Site Scripting(XSS)
Impact: Same Origin Policy(SOP) is completely bypassed
Attack: Attackers can steal anything from another domain, and inject anything into another domain
Tested: Jan/29/2015 Internet Explorer 11 Windows 7

If you like it, please reply "nice".

Kind Regards,

Current thread:

Major Internet Explorer Vulnerability - NOT Patched David Leo (Feb 02)
- Message not available
  - Re: [FD] Major Internet Explorer Vulnerability - NOT Patched David Leo (Feb 04)
- Message not available
  - Message not available
    - Re: [FD] Major Internet Explorer Vulnerability - NOT Patched David Leo (Feb 09)
    - Suspicious URL:Re: [FD] Major Internet Explorer Vulnerability - NOT Patched Shawn Hsiao (Feb 09)
    - Re: Suspicious URL:Re: [FD] Major Internet Explorer Vulnerability - NOT Patched Christoph Gruber (Feb 10)
    - Re: Suspicious URL:Re: [FD] Major Internet Explorer Vulnerability - NOT Patched Joshua Rogers (Feb 10)
- Message not available
  - Message not available
    - RE: [FD] Major Internet Explorer Vulnerability - NOT Patched Dimitris Strevinas (Feb 09)