Full Disclosure
Posted by David Leo on Feb 08
‘could you share the contents of “1.php”?’
Sure:
<?php
sleep(2);
header(“Location: http://www.dailymail.co.uk/robots.txt");
?>
“I’m assuming it is a delayed re-direct to the target’s domain?”
Exactly. 🙂
“the cloudflare scripts”
It’s been tested without them.
Kind Regards,
Posted by David Leo on Feb 08
1.
“Spartan – vulnerable (Windows 10)”
http://www.deusen.co.uk/items/insider3show.3362009741042107/SpartanWin10_screenshot.png
Thanks to Zaakiy Siddiqui!
2.
<?php
sleep(2);
header(“Location: http://www.dailymail.co.uk/robots.txt");
?>
Many asked for it.
3.
It’s Universal XSS, as we tested:
Not only dailymail.co.uk – also Yahoo etc
Not only injecting content – also getting private info etc.
Kind Regards,
Posted by David Leo on Feb 08
“is this entirely an IE flaw”
Yes.
“is it tied to the use of Cloudflare”
No.
“I tried to reproduce… was unsuccessful”
Likely, this detail is missing:
<?php
sleep(2);
header(“Location: http://www.dailymail.co.uk/robots.txt");
?>
Please tell us whether you reproduce(with the PHP code).
“am I correct… JavaScript hosted on shared domains”
In the demo, it’s first injected into page…
Posted by Dimitris Strevinas on Feb 08
Ben, we have reproduced the vulnerability in many occasion.
First of all, at least to steal the session it is no matter if
X-Frame-Option is set to deny/same-origin.
Secondly, we were able to easily bypass the alert popup. It is not needed if
you implement the “waiting” logic with a synchronous AJAX call or a looped
wait (there is no sleep is JS).
The most important part is that the “1.php” in the original POC, should…
Posted by Hazel Ann on Feb 05
I would like to invite you to submit a paper to The International
Conference on Information System Security, Robotics Modeling, and
E-Commerce Transactions (ISSRMET2015) that will be held at Islamic Azad
University, Academic City, Dubai, UAE on March 04-06, 2015.
Conference website httpsdiwc.netconferencesissrmet2015
Conference email issrmet15 () sdiwc net
IMPORTANT DATES
Submission Date The submission deadline is extended from now…
Posted by Zaakiy Siddiqui on Feb 04
Hi David,
Nice one…great find! And thanks Joey for confirming the bypass of HTTP-to-HTTPS restrictions.
I can confirm that this also affects Spartan Browser (Experimental enabled in about:flags in Internet Explorer 11).
I can also confirm that IE 10 is affected.
IE 9 appears to not be vulnerable. Screenshots below.
Regards,
Zaakiy Siddiqui
IE 11 Spartan – vulnerable (Windows 10)
[cid:Image1466.png@14b56f08dd75bb]…
Posted by Ben Lincoln (F7EFC8C9 – FD) on Feb 04
So here’s a possibly stupid question: is this entirely an IE flaw, or is
it tied to the use of Cloudflare by the targeted site as well as the
attacking site?
I ask because:
1 – I tried to reproduce the attack in a number of ways without using
CloudFlare, and was unsuccessful.
2 – Since I don’t have access to a CloudFlare account, I used Burp to do
a find/replace for proxied response headers and bodies on…
Posted by David Leo on Feb 04
Microsoft was notified on Oct 13, 2014.
Joey thank you very much for your words.
Kind Regards,
Posted by Steffen Rösemann on Feb 03
Advisory: SQL injection vulnerability in Pragyan CMS v.3.0
Advisory ID: SROEADV-2015-11
Author: Steffen Rösemann
Affected Software: Pragyan CMS v.3
Vendor URL: https://github.com/delta/pragyan, http://delta.nitt.edu/
Vendor Status: vendor did not respond after initial communication
CVE-ID: –
==========================
Vulnerability Description:
==========================
Pragyan CMS v. 3 suffers from a SQL injection vulnerability that can be…
Posted by Nguyen Anh Quynh on Feb 03
Greetings,
We are happy & excited to release version 3.0.1 of Capstone disassembly
framework!
This stable version brings some important bugfixes for X86, Arm, Arm64,
PowerPC architectures. Several memory leaking issues in Python/Cython
bindings have been addressed, too.
Since this release, our Python module “capstone” on PyPi allows to download
& compile the core at the same time of installing Python package, so Python
users…
