Hi David,
nice is an understatement here.
I've done some testing with this one and, while there *are* quirks, it most
definitely works. It even bypasses standard HTTP-to-HTTPS restrictions.
As long as the page(s) being framed don't contain X-Frame-Options headers
(with `deny` or `same-origin`
Brandon Perry bperry.volat...@gmail.com wrote:
I think you would get more traction on possibly getting Apple to fix these
if you wrote exploits proving they were a problem.
Or do you mean exploits like this one:
http://seclists.org/fulldisclosure/2014/May/163
EVERY developer should know that
CVE-2014-5360 Landesk Management Suite XSS (Cross-Site Scripting) Security
Vulnerability
Exploit Title: Landesk Management Suite Cross-Site scripting
vulnerabilityProduct: Landesk Management SuiteVulnerable Versions: 9.5
(possible previous versions), 9.6Tested Version: 9.5Advisory Publication:
# Exploit Title:Sefrengo CMS v1.6.1 - Multiple SQL Injection
Vulnerabilities
# Vendor: http://www.sefrengo.org/
# Download link:http://forum.sefrengo.org/index.php?showtopic=3368 (
https://github.com/sefrengo-cms/sefrengo-1.x/tree/22c0d16bfd715631ed317cc990785ccede478f07
)
# CVE
*CVE-2014-9562 OptimalSite Content Management System (CMS) XSS (Cross-Site
Scripting) Security Vulnerabilities*
Exploit Title: OptimalSite CMS /display_dialog.php image Parameter XSS
Security Vulnerability
Vendor: OptimalSite
Product: OptimalSite Content Management System (CMS)
Vulnerable
*About Group (about.com http://about.com) All Topics (At least 99.88%
links) Vulnerable to XSS Iframe Injection Security Attacks, About.com
Open Redirect Security Vulnerabilities*
*Vulnerability Description:*
About.com all topic sites are vulnerable to XSS (Cross-Site Scripting)
and Iframe