Back to list
*Note: Email address will appear as "user domain ext" to prevent harvesting.
RE: [FD] Major Internet Explorer Vulnerability - NOT Patched
Feb 05 2015 08:18AM
Dimitris Strevinas (d strevinas obrela com)
Ben, we have reproduced the vulnerability in many occasion.
First of all, at least to steal the session it is no matter if
X-Frame-Option is set to deny/same-origin.
Secondly, we were able to easily bypass the alert popup. It is not needed if
you implement the "waiting" logic with a synchronous AJAX...
[ more ]
Copyright 2010, SecurityFocus