Home page logo

fulldisclosure logo Full Disclosure mailing list archives

IE8 Css Cross-Domain Information Disclosure Vulnerability
From: IEhrepus <5up3rh3i () gmail com>
Date: Thu, 14 Oct 2010 22:27:03 +0800

IE8 Css Cross-Domain Information Disclosure Vulnerability

Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2010/10/14
References: http://www.80vul.com/ie8/IE8%20Css%20Cross-Domain%20Information%20Disclosure%20Vulnerability.txt


MS-071 have fixed a  Cross-Domain Information Disclosure Vulnerability
by CSS imports() on IE8, this vul look like had fixed on 2005 by
hacker.co.il[1],but when it work well on IE8 .


@import url("http://hi.baidu.com/hi_heige";);
function loaded() {
<body onload="loaded()">

Disclosure Timeline:

2010/09/09 - Found this Vulnerability
2010/10/12 - Microsoft Security Bulletin MS10-071 Published
2010/10/14 - Public Disclosure

[1] http://www.hacker.co.il/security/ie/css_import.html
[2] http://80vul.com/cssinj/ms071.html


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • IE8 Css Cross-Domain Information Disclosure Vulnerability IEhrepus (Oct 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]