[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] PayPal Send Money Cross-Site Scripting Vulnerability
- To: BugTraq <bugtraq-digest@xxxxxxxxxxxxxxxxx>, Full Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] PayPal Send Money Cross-Site Scripting Vulnerability
- From: Nathan Power <np@xxxxxxxxxxxxxxxxxxx>
- Date: Sat, 1 Jan 2011 15:51:05 -0500
--------------------------------------------------------------------------------
1. Summary:
PayPal's send money feature is affected by an XSS (cross-site scripting)
vulnerability.
--------------------------------------------------------------------------------
2. Description:
When sending money via PayPal, the sender has an option to input a message
along with the money being sent. A malicious attacker can inject XSS code
into this message box because it fails to validate input. When the victim
goes to view the transaction page the injected code will execute.
--------------------------------------------------------------------------------
3. Impact:
Potentially allow an attacker access to a victim’s PayPal account.
--------------------------------------------------------------------------------
4. Affected Products:
www.paypal.com
--------------------------------------------------------------------------------
5. Solution: None
--------------------------------------------------------------------------------
6. Time Table:
12/06/2010 Reported Vulnerability to the Vendor
12/07/2010 Vendor Acknowledge Vulnerability
--------------------------------------------------------------------------------
7. Credits:
Discovered by Nathan Power
www.securitypentest.com
--------------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/