lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3355484B9A029740B5D76BB2274573E45EE955@irvexch01.saflink.com>
Date: Tue, 15 Feb 2005 07:01:40 -0800
From: "Israel Torres" <ITorres@...ronic.com>
To: "Josh Tolley" <josh@...ntreeinc.com>,
	"Steven" <steven@...ebug.org>
Cc: <incidents@...urityfocus.com>, <bugtraq@...urityfocus.com>
Subject: RE: eBay Account Phishing with eBay Redirect


Actually Steven's example is supposed to be:
http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=http://www.website.com 

note the http:// prefix following the RedirectToDomain&DomainUrl=

As of Tuesday Feb 15 7am PST it still works (both examples).

PS Steven, For the "Place or Update Credit Card on File" page, post-login it states for the user to "Sing Out", you may want to change it to "Sign Out". 

Israel Torres


-----Original Message-----
From: Josh Tolley [mailto:josh@...ntreeinc.com]
Sent: Monday, February 14, 2005 11:08 AM
To: Steven
Cc: incidents@...urityfocus.com; bugtraq@...urityfocus.com
Subject: Re: eBay Account Phishing with eBay Redirect


I just tried this with my own URL, and eBay didn't forward me to some 
other site. Perhaps they've plugged this already?

Josh Tolley
Raintree Systems, Inc.
http://www.raintreeinc.com
760 509 9000

Steven wrote:
> I am not sure if this is better served by incidents or bugtraq, but in 
> any event here it is.  I frequently get the fake looking e-mails 
> phishing for my Paypal, eBay, and banking login/password information.  
> Generally the links to the spoofed webpages are just links to a fake 
> page with a modified A HREF tag.  However, it appears someone has found 
> that eBay's actual page has a command to redirect to a specified 
> webpage.  While this shouldn't be a big risk, it still poses a small one 
> and is being actively exploitated.
> 
> The page actually appears to link to eBay and it does, the link below is 
> the one I received in my inbox recently.
> 
> http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=http%3A%2F%2F%32%31%31%2E%31%37%32%2E%39%36%2E%37%2FUpdateCenter%2FLogin%2F%3FMfcISAPISession%3DAAJbaQqzeHAAeMWZlHhlWXS2AlBXVShqAhQRfhgTDrferHCURstpAisNRqAhQRfhgTDrferHCURstpAisNRpAisNRqAhQRfhgTDrferHCUQRfqzeHAAeMWZlHhlWXh 
> 
> 
> Simply:
> 
> http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=www.website.com 
> 
> 
> 
> Steven
> steven@...ebug.org
> 
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ