Full Disclosure mailing list archives

Re: Major Internet Explorer Vulnerability - NOT Patched

From: David Leo <david.leo () deusen co uk>
Date: Wed, 04 Feb 2015 14:43:20 +0800

Microsoft was notified on Oct 13, 2014.

Joey thank you very much for your words.

Kind Regards,

On 2015/2/3 4:53, Joey Fowler wrote:

Hi David,

"nice" is an understatement here.

I've done some testing with this one and, while there /are/ quirks, it most definitely works. It even bypasses standard 
HTTP-to-HTTPS restrictions.

As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it 
executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting 
HTML instead of JavaScript, that is).

It looks like, through this method, all viable XSS tactics are open!

Nice find!

Has this been reported to Microsoft outside (or within) this thread?

--
Joey Fowler
Senior Security Engineer, Tumblr



On Sat, Jan 31, 2015 at 9:18 AM, David Leo <david.leo () deusen co uk <mailto:david.leo () deusen co uk>> wrote:

    Deusen just published code and description here:
    http://www.deusen.co.uk/items/__insider3show.3362009741042107/ 
<http://www.deusen.co.uk/items/insider3show.3362009741042107/>
    which demonstrates the serious security issue.

    Summary
    An Internet Explorer vulnerability is shown here:
    Content of dailymail.co.uk <http://dailymail.co.uk> can be changed by external domain.

    How To Use
    1. Close the popup window("confirm" dialog) after three seconds.
    2. Click "Go".
    3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk <http://dailymail.co.uk>.

    Technical Details
    Vulnerability: Universal Cross Site Scripting(XSS)
    Impact: Same Origin Policy(SOP) is completely bypassed
    Attack: Attackers can steal anything from another domain, and inject anything into another domain
    Tested: Jan/29/2015 Internet Explorer 11 Windows 7

    If you like it, please reply "nice".

    Kind Regards,


    _________________________________________________
    Sent through the Full Disclosure mailing list
    https://nmap.org/mailman/__listinfo/fulldisclosure <https://nmap.org/mailman/listinfo/fulldisclosure>
    Web Archives & RSS: http://seclists.org/__fulldisclosure/ <http://seclists.org/fulldisclosure/>



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Major Internet Explorer Vulnerability - NOT Patched David Leo (Jan 31)
- Re: Major Internet Explorer Vulnerability - NOT Patched Joey Fowler (Feb 02)
  - Re: Major Internet Explorer Vulnerability - NOT Patched David Leo (Feb 04)
    - Re: Major Internet Explorer Vulnerability - NOT Patched Dan Ballance (Feb 12)
  - Re: Major Internet Explorer Vulnerability - NOT Patched Ben Lincoln (F7EFC8C9 - FD) (Feb 04)
    - Re: Major Internet Explorer Vulnerability - NOT Patched Dimitris Strevinas (Feb 07)
    - Re: Major Internet Explorer Vulnerability - NOT Patched David Leo (Feb 07)
    - Re: Major Internet Explorer Vulnerability - NOT Patched Ben Lincoln (F7EFC8C9 - FD) (Feb 07)
    - Message not available
    - Re: Suspicious URL:Re: Major Internet Explorer Vulnerability - NOT Patched Christoph Gruber (Feb 11)
    - Re: Major Internet Explorer Vulnerability - NOT Patched Justin Steven (Feb 07)
- <Possible follow-ups>
- Re: Major Internet Explorer Vulnerability - NOT Patched Zaakiy Siddiqui (Feb 04)
  - Re: Major Internet Explorer Vulnerability - NOT Patched Barkley, Peter (Feb 07)
    - Re: Major Internet Explorer Vulnerability - NOT Patched David Leo (Feb 07)

(Thread continues...)