[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Javascript

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Javascript
From: "Thomas Pollet" <thomas.pollet@xxxxxxxxx>
Date: Mon, 14 Jan 2008 17:03:13 +0100

Hello,

fyi: I found the sitecatalyst software running on paypal.com to be
vulnerable to xss in the past. (unfiltered referer url was used as a
javascript value). Omniture/paypal didn't respond to my emails, paypal
fixed the issue after public disclosure.

Regards,
Thomas Pollet

On 14/01/2008, Michael Holstein <michael.holstein@xxxxxxxxxxx> wrote:
>
> > This is from a current CNN home page:
> >
> > /* SiteCatalyst code version: H.10.
> > Copyright 1997-2007 Omniture, Inc. More info available at
> > http://www.omniture.com */
>
> Omniture is one of (many) sites that do tracking for companies .. like
> what your mouse moves over, how long it stays there, how long you view
> each page, etc. etc.
>
> This is why you should disable javascript for any site you don't
> explicitly trust (FYI: by default, NoScript for Firefox allows *msn.com
> *google.com, and a bunch of other stuff you probably don't want).
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Javascript
  - From: scott
- Re: [Full-disclosure] Javascript
  - From: damncon
- Re: [Full-disclosure] Javascript
  - From: Michael Holstein

Prev by Date: Re: [Full-disclosure] what is this?
Next by Date: Re: [Full-disclosure] what is this?
Previous by thread: Re: [Full-disclosure] Javascript
Next by thread: [Full-disclosure] Hacking The Interwebs
Index(es):
- Date
- Thread