Posted by Hazel Ann on Feb 05

I would like to invite you to submit a paper to The International
Conference on Information System Security, Robotics Modeling, and
E-Commerce Transactions (ISSRMET2015) that will be held at Islamic Azad
University, Academic City, Dubai, UAE on March 04-06, 2015.

Conference website httpsdiwc.netconferencesissrmet2015

Conference email issrmet15 () sdiwc net

IMPORTANT DATES

Submission Date The submission deadline is extended from now…

Posted by Zaakiy Siddiqui on Feb 04

Hi David,

Nice one…great find! And thanks Joey for confirming the bypass of HTTP-to-HTTPS restrictions.

I can confirm that this also affects Spartan Browser (Experimental enabled in about:flags in Internet Explorer 11).

I can also confirm that IE 10 is affected.

IE 9 appears to not be vulnerable. Screenshots below.

Regards,
Zaakiy Siddiqui

IE 11 Spartan – vulnerable (Windows 10)

[cid:Image1466.png@14b56f08dd75bb]…

Posted by Ben Lincoln (F7EFC8C9 – FD) on Feb 04

So here’s a possibly stupid question: is this entirely an IE flaw, or is
it tied to the use of Cloudflare by the targeted site as well as the
attacking site?

I ask because:

1 – I tried to reproduce the attack in a number of ways without using
CloudFlare, and was unsuccessful.
2 – Since I don’t have access to a CloudFlare account, I used Burp to do
a find/replace for proxied response headers and bodies on…