Leo has submitted his revelation on the Full Disclosure mailing list, which can be foundhere.
Vulnerability
The vulnerability is known as a universal cross-site scripting (XSS) flaw.
The XSS flaw can be exploited by attackers to bypass the Same Origin Policy (SOP).
Leo has made a website with the XSS flaw proof-of-concept exploit which can be accessedhere.
The website can popup a message which Leo has written just to show how critical the vulnerability is.
Ive done some testing with this one and, while there /are/ quirks, it most definitely works.
It even bypasses standardHTTP-to-HTTPS restrictions.
It looks like, through this method, all viable XSS tactics are open!
Has this been reported to Microsoft outside (or within) this thread?
source: www.techworm.net
