Full Disclosure mailing list archives

Re: news XSS on paypal.com

From: Javor Ninov <drfrancky () securax org>
Date: Tue, 25 Jul 2006 04:19:38 +0300



ad () heapoverflow com wrote:

This is such scenario we should see in the poc and not a usual boxe
spamming a website ... This does not really alerts a web admin I think.

If this not alerts a web admin ... then nothing can't alert him.
once ago i showed a /etc/passwd to a site admin and his reaction was
like "hell , we don't have such file on our site ?! how did you get it
?" ... speechless !

Thanks anyway for the informations.

php0t wrote:

If it works, then you can plant iframes in popular websites so that when
somebody visits them and they happen to be logged on to paypal at the
same time, the injected javascript could make a transaction using the
victim's (visitor's) creditentials. This can all happen without alerting
the user. (There might be some circumstances blocking this in practice,
like if they require a Turing test for completing money transactions
etc).


php0t

ps: a poc showing how to fake a whole webpage?! :-)

I wonder what is interesting in this , usually a poc show us we can 
upload a crafted webpage on a vulnerable website, fake a whole

webpage,

etc,  this link doesnt speak much than the noob who found it.

Pigrelax wrote:

www.paypal.com/cgi-bin/webscr?cmd=p/gen/--></script><script>alert('www


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


__________ NOD32 1.1674 (20060722) Information __________

This message was checked by NOD32 antivirus system.
  part000.txt - is OK

http://www.eset.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Javor Ninov aka DrFrancky
drfrancky shift+2 securax.org

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

news XSS on paypal.com Pigrelax (Jul 23)
- Re: news XSS on paypal.com ad () heapoverflow com (Jul 23)
  - RE: news XSS on paypal.com php0t (Jul 23)
    - Re: news XSS on paypal.com ad () heapoverflow com (Jul 23)
    - Re: news XSS on paypal.com Javor Ninov (Jul 24)