[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
- To: <fulldisclosure@xxxxxxxxxxxx>
- Subject: Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
- From: "Sijmen Ruwhof" <sijmen@xxxxxxxxxxxxx>
- Date: Sun, 8 Feb 2015 15:46:28 +0100
Hi Joey,
In my research I found out that the 'x-frame-options' solution doesn't
protect against session hijacking via session cookie theft. It is very
important that you also need to add 'HttpOnly' flags on all cookies.
I've published an overview of my research, additional mitigations and
supporting evidence in a web log article:
http://sijmen.ruwhof.net/weblog/427-mitigations-against-critical-universal-c
ross-site-scripting-vulnerability-in-fully-patched-internet-explorer-10-and-
11
Kind regards,
Sijmen Ruwhof
Re: Major Internet Explorer Vulnerability - NOT Patched
_____
From: Joey Fowler <joey () tumblr com>
Date: Mon, 2 Feb 2015 15:53:10 -0500
_____
Hi David,
"nice" is an understatement here.
I've done some testing with this one and, while there *are* quirks, it most
definitely works. It even bypasses standard HTTP-to-HTTPS restrictions.
As long as the page(s) being framed don't contain X-Frame-Options headers
(with `deny` or `same-origin` values), it executes successfully. Pending
the payload being injected, most Content Security Policies are also
bypassed (by injecting HTML instead of JavaScript, that is).
It looks like, through this method, all viable XSS tactics are open!
Nice find!
Has this been reported to Microsoft outside (or within) this thread?
--
Joey Fowler
Senior Security Engineer, Tumblr
On Sat, Jan 31, 2015 at 9:18 AM, David Leo <david.leo () deusen co uk>
wrote:
Deusen just published code and description here:
<http://www.deusen.co.uk/items/insider3show.3362009741042107/>
http://www.deusen.co.uk/items/insider3show.3362009741042107/
which demonstrates the serious security issue.
Summary
An Internet Explorer vulnerability is shown here:
Content of dailymail.co.uk can be changed by external domain.
How To Use
1. Close the popup window("confirm" dialog) after three seconds.
2. Click "Go".
3. After 7 seconds, "Hacked by Deusen" is actively injected into
dailymail.co.uk.
Technical Details
Vulnerability: Universal Cross Site Scripting(XSS)
Impact: Same Origin Policy(SOP) is completely bypassed
Attack: Attackers can steal anything from another domain, and inject
anything into another domain
Tested: Jan/29/2015 Internet Explorer 11 Windows 7
If you like it, please reply "nice".
Kind Regards,
_______________________________________________
Sent through the Full Disclosure mailing list
<https://nmap.org/mailman/listinfo/fulldisclosure>
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: <http://seclists.org/fulldisclosure/>
http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
<https://nmap.org/mailman/listinfo/fulldisclosure>
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: <http://seclists.org/fulldisclosure/>
http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/