Full Disclosure mailing list archives
Major Internet Explorer Vulnerability - NOT Patched
From: David Leo <david.leo () deusen co uk>
Date: Sat, 31 Jan 2015 22:18:41 +0800
Deusen just published code and description here: http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk can be changed by external domain. How To Use 1. Close the popup window("confirm" dialog) after three seconds. 2. Click "Go". 3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply "nice". Kind Regards, _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Major Internet Explorer Vulnerability - NOT Patched David Leo (Jan 31)
- Re: Major Internet Explorer Vulnerability - NOT Patched Joey Fowler (Feb 02)
- Re: Major Internet Explorer Vulnerability - NOT Patched David Leo (Feb 04)
- Re: Major Internet Explorer Vulnerability - NOT Patched Dan Ballance (Feb 12)
- Re: Major Internet Explorer Vulnerability - NOT Patched Ben Lincoln (F7EFC8C9 - FD) (Feb 04)
- Re: Major Internet Explorer Vulnerability - NOT Patched Dimitris Strevinas (Feb 07)
- Re: Major Internet Explorer Vulnerability - NOT Patched David Leo (Feb 07)
- Re: Major Internet Explorer Vulnerability - NOT Patched Ben Lincoln (F7EFC8C9 - FD) (Feb 07)
- Message not available
- Re: Suspicious URL:Re: Major Internet Explorer Vulnerability - NOT Patched Christoph Gruber (Feb 11)
- Re: Major Internet Explorer Vulnerability - NOT Patched David Leo (Feb 04)
- Re: Major Internet Explorer Vulnerability - NOT Patched Justin Steven (Feb 07)
- Re: Major Internet Explorer Vulnerability - NOT Patched Joey Fowler (Feb 02)
- <Possible follow-ups>
- Re: Major Internet Explorer Vulnerability - NOT Patched Zaakiy Siddiqui (Feb 04)