[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] news XSS on paypal.com

To: "ad@xxxxxxxxxxxxxxxx" <ad@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] news XSS on paypal.com
From: Javor Ninov <drfrancky@xxxxxxxxxxx>
Date: Tue, 25 Jul 2006 04:19:38 +0300


ad@xxxxxxxxxxxxxxxx wrote:
> This is such scenario we should see in the poc and not a usual boxe
> spamming a website ... This does not really alerts a web admin I think.
If this not alerts a web admin ... then nothing can't alert him.
once ago i showed a /etc/passwd to a site admin and his reaction was
like "hell , we don't have such file on our site ?! how did you get it
?" ... speechless !

> Thanks anyway for the informations.
> 
> php0t wrote:
>> If it works, then you can plant iframes in popular websites so that when
>> somebody visits them and they happen to be logged on to paypal at the
>> same time, the injected javascript could make a transaction using the
>> victim's (visitor's) creditentials. This can all happen without alerting
>> the user. (There might be some circumstances blocking this in practice,
>> like if they require a Turing test for completing money transactions
>> etc).
>>
>>
>> php0t
>>
>> ps: a poc showing how to fake a whole webpage?! :-)
>>
>>
>>   
>>> I wonder what is interesting in this , usually a poc show us we can 
>>> upload a crafted webpage on a vulnerable website, fake a whole
>>>     
>> webpage, 
>>   
>>> etc,  this link doesnt speak much than the noob who found it.
>>>     
>>
>>   
>>>> Pigrelax wrote:
>>>>
>>>>       
>> www.paypal.com/cgi-bin/webscr?cmd=p/gen/--></script><script>alert('www
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> __________ NOD32 1.1674 (20060722) Information __________
>>
>> This message was checked by NOD32 antivirus system.
>>   part000.txt - is OK
>>
>> http://www.eset.com
>>
>>
>>
>>   
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Javor Ninov aka DrFrancky
drfrancky shift+2 securax.org

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- RE: [Full-disclosure] news XSS on paypal.com
  - From: php0t
- Re: [Full-disclosure] news XSS on paypal.com
  - From: ad@xxxxxxxxxxxxxxxx

Prev by Date: Re: [Full-disclosure] Please help to spam abryson@xxxxxxxxxxxxxx
Next by Date: [Full-disclosure] Re: Please help to spam abryson@xxxxxxxxxxxxxx
Previous by thread: Re: [Full-disclosure] news XSS on paypal.com
Next by thread: [Full-disclosure] To XSS or not?
Index(es):
- Date
- Thread