[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <44C571AA.4080407@securax.org>
Date: Tue, 25 Jul 2006 04:19:38 +0300
From: Javor Ninov <drfrancky@...urax.org>
To: "ad@...poverflow.com" <ad@...poverflow.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: news XSS on paypal.com
ad@...poverflow.com wrote:
> This is such scenario we should see in the poc and not a usual boxe
> spamming a website ... This does not really alerts a web admin I think.
If this not alerts a web admin ... then nothing can't alert him.
once ago i showed a /etc/passwd to a site admin and his reaction was
like "hell , we don't have such file on our site ?! how did you get it
?" ... speechless !
> Thanks anyway for the informations.
>
> php0t wrote:
>> If it works, then you can plant iframes in popular websites so that when
>> somebody visits them and they happen to be logged on to paypal at the
>> same time, the injected javascript could make a transaction using the
>> victim's (visitor's) creditentials. This can all happen without alerting
>> the user. (There might be some circumstances blocking this in practice,
>> like if they require a Turing test for completing money transactions
>> etc).
>>
>>
>> php0t
>>
>> ps: a poc showing how to fake a whole webpage?! :-)
>>
>>
>>
>>> I wonder what is interesting in this , usually a poc show us we can
>>> upload a crafted webpage on a vulnerable website, fake a whole
>>>
>> webpage,
>>
>>> etc, this link doesnt speak much than the noob who found it.
>>>
>>
>>
>>>> Pigrelax wrote:
>>>>
>>>>
>> www.paypal.com/cgi-bin/webscr?cmd=p/gen/--></script><script>alert('www
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> __________ NOD32 1.1674 (20060722) Information __________
>>
>> This message was checked by NOD32 antivirus system.
>> part000.txt - is OK
>>
>> http://www.eset.com
>>
>>
>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Javor Ninov aka DrFrancky
drfrancky shift+2 securax.org
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists