Vulnerability Development mailing list archives
Re: Cross site scripting @verisign.com and @cybercash.com
From: KF <dotslash () snosoft com>
Date: Mon, 22 Apr 2002 09:31:55 -0400
No this IS a hole in their side becuase their server attempts to generate an error message based on the url supplyed by the user... Also someone else confirmed that there was an issue with this site in the past allowing credit card info to be gleaned via javascript...
The issue you refer to is specific to the about: protocol... if I go to any other http:// sites and append some java script I do not have the same issue I get the standard 404 instead... the issue lies in the generation of the error message on the cybercash.com side.
http://www.cybercash.com/%3Cblah Sorry*The document you have requested does not exist on this system.* Please check the URL and try again or use the site map below to find the information you are looking for.
If you believe you have received this message in error, write to support at support () verisign com <mailto:support () verisign com> . Include the error code and brief description of what you were doing when you received this error.
<br>*File:* /%253Cblah <----------------------------------- Problem lies here.
*Error:* 404 - Not Found Note the error File: (Insert javascript here) -KF kristalaz wrote:
I don4t think that this is a bug in theirs servers, because if you try this "about:<script>alert('hi')</script>" write in your adress at IE >4.0, you will see that its a IE bug, because this site is generated by browser ------ kristalaz kristalaz () yahoo com http://linux.tinkle.lt _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- Re: Cross site scripting @verisign.com and @cybercash.com zeno (Apr 19)
- <Possible follow-ups>
- Cross site scripting @verisign.com and @cybercash.com KF (Apr 19)
- Re: Cross site scripting @verisign.com and @cybercash.com Tim Morgan (Apr 20)
- Re: Cross site scripting @verisign.com and @cybercash.com kristalaz (Apr 22)
- Re: Cross site scripting @verisign.com and @cybercash.com KF (Apr 22)