lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 29 Mar 2010 09:24:11 +0200
From: PsychoBilly <zpamh0l3@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Paypal XSS Vulnerability - Resolved

Get back Moxie Marlinspike's Cash first!

On Fri, March 29, 2010 10:49 pm, Orbeton, Jon wrote:
The theft reported above will be adressed at approximately NEVEr wahwhahwhhah you loose!


************************  Cluster #[[   Randal T. Rioux   ]] possibly 
emitted, @Time [[   28/03/2010 06:12   ]] The Following #String  
**********************
> I find it humorous that an organization that pretends to be a bank and
> regularly steals money from its members has the balls to distribute a
> "PayPal Responsible Disclosure Policy."
>
> Good luck with that.
>
> Randy
>
>
> On Fri, March 26, 2010 10:49 pm, Orbeton, Jon wrote:
>    
>> All:
>>
>> The XSS vulnerability reported below was addressed at approximately 17:45
>> PDT today.
>>
>> For information about how to report security issues to PayPal, please
>> refer to the PayPal Responsible Disclosure Policy documented here:
>> https://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/ReportingSecurityIssues-outside
>>
>> Site security issues should be reported to:
>>    sitesecurity@...pal.com
>>
>> All reports will be handled professionally and quickly. A PGP key is
>> available at the URL above.
>>
>>
>> Thanks,
>> Jon Orbeton
>>
>> PayPal, an eBay Company
>>
>> ============================================
>>
>> From: Wesley Kerfoot<wjak56 () gmail com>
>> Date: Fri, 26 Mar 2010 15:46:09 -0400
>>
>> Paypal is affected by an XSS vulnerability where it fails to validate
>> input for the following url:
>>
>> https://www.paypal.com/xclick/business=
>>
>> One can add arbitrary javascript with no need for any filter evasion.
>>
>>      https://www.paypal.com/xclick/business=<script>  alert("xss");
>> </script>
>>
>>
>> As far as I know only the above url is affected. All of the usual XSS
>> attacks will work with this.
>>
>> Cheers.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>      
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>    


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ