Posted by Justin Steven on Feb 08
the targeted site as well as the attacking site?
No, this is entirely an IE flaw. I’ve repro’d on domains that I know don’t
use cloudflare, from a domain that doesn’t use cloudflare.
There’s a great teardown on this POC by @filedescriptor at
http://innerht.ml/blog/ie-uxss.html
Posted by Imre Rad on Feb 08
LG On Screen Phone authentication bypass vulnerability
——————————————————
SEARCH-LAB Ltd. discovered a serious security vulnerability in the On
Screen Phone protocol used by LG Smart Phones. A malicious attacker is
able to bypass the authentication phase of the network communication,
and thus establish a connection to the On Screen Phone application
without the owner’s knowledge or consent. Once connected,…
Posted by David Leo on Feb 08
1.
“Spartan – vulnerable (Windows 10)”
http://www.deusen.co.uk/items/insider3show.3362009741042107/SpartanWin10_screenshot.png
Thanks to Zaakiy Siddiqui!
2.
<?php
sleep(2);
header(“Location: http://www.dailymail.co.uk/robots.txt");
?>
Many asked for it.
3.
It’s Universal XSS, as we tested:
Not only dailymail.co.uk – also Yahoo etc
Not only injecting content – also getting private info etc.
Kind Regards,
Posted by David Leo on Feb 08
‘could you share the contents of “1.php”?’
Sure:
<?php
sleep(2);
header(“Location: http://www.dailymail.co.uk/robots.txt");
?>
“I’m assuming it is a delayed re-direct to the target’s domain?”
Exactly. 🙂
“the cloudflare scripts”
It’s been tested without them.
Kind Regards,
Posted by David Leo on Feb 08
“is this entirely an IE flaw”
Yes.
“is it tied to the use of Cloudflare”
No.
“I tried to reproduce… was unsuccessful”
Likely, this detail is missing:
<?php
sleep(2);
header(“Location: http://www.dailymail.co.uk/robots.txt");
?>
Please tell us whether you reproduce(with the PHP code).
“am I correct… JavaScript hosted on shared domains”
In the demo, it’s first injected into page…
Posted by Dimitris Strevinas on Feb 08
Ben, we have reproduced the vulnerability in many occasion.
First of all, at least to steal the session it is no matter if
X-Frame-Option is set to deny/same-origin.
Secondly, we were able to easily bypass the alert popup. It is not needed if
you implement the “waiting” logic with a synchronous AJAX call or a looped
wait (there is no sleep is JS).
The most important part is that the “1.php” in the original POC, should…
Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 10 and 11 allows remote attackers to bypass the Same Origin Policy and inject arbitrary web script or HTML via vectors involving an IFRAME element that triggers a redirect, a second IFRAME element that does not trigger a redirect, and an eval of a WindowProxy object, aka “Universal XSS (UXSS).”
Buffer overflow in the Field Device Tool (FDT) Frame application in the HART Device Type Manager (DTM) library, as used in MACTek Bullet DTM 1.00.0, GE Vector DTM 1.00.0, GE SVi1000 Positioner DTM 1.00.0, GE SVI II AP Positioner DTM 2.00.1, and GE 12400 Level Transmitter DTM 1.00.0, allows remote attackers to cause a denial of service (DTM outage) via crafted packets.
The administrative web interface in Cisco WebEx Meetings Server 1.0 through 1.5 allows remote authenticated users to execute arbitrary OS commands with root privileges via unspecified fields, aka Bug ID CSCuj40460.
The mobility extension on Cisco Unified IP 9900 phones with firmware 9.4(.1) and earlier allows remote attackers to cause a denial of service (logoff) via crafted packets, aka Bug ID CSCuq12139.
