Bugtraq mailing list archives
Major Internet Explorer Vulnerability - NOT Patched
From: David Leo <david.leo () deusen co uk>
Date: Sat, 31 Jan 2015 22:18:41 +0800
Deusen just published code and description here: http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk can be changed by external domain. How To Use 1. Close the popup window("confirm" dialog) after three seconds. 2. Click "Go". 3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply "nice". Kind Regards,
Current thread:
- Major Internet Explorer Vulnerability - NOT Patched David Leo (Feb 02)
- Message not available
- Re: [FD] Major Internet Explorer Vulnerability - NOT Patched David Leo (Feb 04)
- Message not available
- Message not available
- Message not available
- Re: [FD] Major Internet Explorer Vulnerability - NOT Patched David Leo (Feb 09)
- Suspicious URL:Re: [FD] Major Internet Explorer Vulnerability - NOT Patched Shawn Hsiao (Feb 09)
- Re: Suspicious URL:Re: [FD] Major Internet Explorer Vulnerability - NOT Patched Christoph Gruber (Feb 10)
- Re: Suspicious URL:Re: [FD] Major Internet Explorer Vulnerability - NOT Patched Joshua Rogers (Feb 10)
- Message not available
- Message not available
- RE: [FD] Major Internet Explorer Vulnerability - NOT Patched Dimitris Strevinas (Feb 09)