Re: Cross site scripting @verisign.com and @cybercash.com

[KF <dotslash () snosoft com>]

No this IS a hole in their side becuase their server attempts to 
generate an error message based on the url supplyed by the user... Also 
someone else confirmed that there was an issue with this site in the 
past allowing credit card info to be gleaned via javascript...

The issue you refer to is specific to the about: protocol... if I go to 
any other http:// sites and append some java script I do not have the 
same issue I get the standard 404 instead... the issue lies in the 
generation of the error message on the cybercash.com side.

http://www.cybercash.com/%3Cblah

Sorry

*The document you have requested does not exist on this system.* Please 
check the URL and try again or use the site map below to find the 
information you are looking for.

If you believe you have received this message in error, write to support 
at support () verisign com <mailto:support () verisign com> . Include the 
error code and brief description of what you were doing when you 
received this error.
<br>


*File:*  /%253Cblah                                   
<----------------------------------- Problem lies here.
*Error:*  404 - Not Found

Note the error File: (Insert javascript here)
-KF

kristalaz wrote:

> I don4t think that this is a bug in theirs servers, because if you try this
> "about:<script>alert('hi')</script>" write in your adress at IE >4.0, you
> will see that its a IE bug, because this site is generated by browser
> ------
> kristalaz
> kristalaz () yahoo com
> http://linux.tinkle.lt
>
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com