Full Disclosure mailing list archives
Re: Javascript
From: "Thomas Pollet" <thomas.pollet () gmail com>
Date: Mon, 14 Jan 2008 17:03:13 +0100
Hello, fyi: I found the sitecatalyst software running on paypal.com to be vulnerable to xss in the past. (unfiltered referer url was used as a javascript value). Omniture/paypal didn't respond to my emails, paypal fixed the issue after public disclosure. Regards, Thomas Pollet On 14/01/2008, Michael Holstein <michael.holstein () csuohio edu> wrote:
This is from a current CNN home page: /* SiteCatalyst code version: H.10. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */Omniture is one of (many) sites that do tracking for companies .. like what your mouse moves over, how long it stays there, how long you view each page, etc. etc. This is why you should disable javascript for any site you don't explicitly trust (FYI: by default, NoScript for Firefox allows *msn.com *google.com, and a bunch of other stuff you probably don't want). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Javascript scott (Jan 12)
- Re: Javascript damncon (Jan 13)
- Re: Javascript Michael Holstein (Jan 14)
- Re: Javascript Thomas Pollet (Jan 14)
- Re: Javascript Michael Holstein (Jan 14)
- Re: Javascript damncon (Jan 13)