Full Disclosure mailing list archives
Re: news XSS on paypal.com
From: Javor Ninov <drfrancky () securax org>
Date: Tue, 25 Jul 2006 04:19:38 +0300
ad () heapoverflow com wrote:
This is such scenario we should see in the poc and not a usual boxe spamming a website ... This does not really alerts a web admin I think.
If this not alerts a web admin ... then nothing can't alert him. once ago i showed a /etc/passwd to a site admin and his reaction was like "hell , we don't have such file on our site ?! how did you get it ?" ... speechless !
Thanks anyway for the informations. php0t wrote:If it works, then you can plant iframes in popular websites so that when somebody visits them and they happen to be logged on to paypal at the same time, the injected javascript could make a transaction using the victim's (visitor's) creditentials. This can all happen without alerting the user. (There might be some circumstances blocking this in practice, like if they require a Turing test for completing money transactions etc). php0t ps: a poc showing how to fake a whole webpage?! :-)I wonder what is interesting in this , usually a poc show us we can upload a crafted webpage on a vulnerable website, fake a wholewebpage,etc, this link doesnt speak much than the noob who found it.Pigrelax wrote:www.paypal.com/cgi-bin/webscr?cmd=p/gen/--></script><script>alert('www _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __________ NOD32 1.1674 (20060722) Information __________ This message was checked by NOD32 antivirus system. part000.txt - is OK http://www.eset.com_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Javor Ninov aka DrFrancky drfrancky shift+2 securax.org
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- news XSS on paypal.com Pigrelax (Jul 23)
- Re: news XSS on paypal.com ad () heapoverflow com (Jul 23)
- RE: news XSS on paypal.com php0t (Jul 23)
- Re: news XSS on paypal.com ad () heapoverflow com (Jul 23)
- Re: news XSS on paypal.com Javor Ninov (Jul 24)
- RE: news XSS on paypal.com php0t (Jul 23)
- Re: news XSS on paypal.com ad () heapoverflow com (Jul 23)