lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 25 Jul 2006 04:19:38 +0300
From: Javor Ninov <drfrancky@...urax.org>
To: "ad@...poverflow.com" <ad@...poverflow.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: news XSS on paypal.com



ad@...poverflow.com wrote:
> This is such scenario we should see in the poc and not a usual boxe
> spamming a website ... This does not really alerts a web admin I think.
If this not alerts a web admin ... then nothing can't alert him.
once ago i showed a /etc/passwd to a site admin and his reaction was
like "hell , we don't have such file on our site ?! how did you get it
?" ... speechless !

> Thanks anyway for the informations.
> 
> php0t wrote:
>> If it works, then you can plant iframes in popular websites so that when
>> somebody visits them and they happen to be logged on to paypal at the
>> same time, the injected javascript could make a transaction using the
>> victim's (visitor's) creditentials. This can all happen without alerting
>> the user. (There might be some circumstances blocking this in practice,
>> like if they require a Turing test for completing money transactions
>> etc).
>>
>>
>> php0t
>>
>> ps: a poc showing how to fake a whole webpage?! :-)
>>
>>
>>   
>>> I wonder what is interesting in this , usually a poc show us we can 
>>> upload a crafted webpage on a vulnerable website, fake a whole
>>>     
>> webpage, 
>>   
>>> etc,  this link doesnt speak much than the noob who found it.
>>>     
>>
>>   
>>>> Pigrelax wrote:
>>>>
>>>>       
>> www.paypal.com/cgi-bin/webscr?cmd=p/gen/--></script><script>alert('www
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> __________ NOD32 1.1674 (20060722) Information __________
>>
>> This message was checked by NOD32 antivirus system.
>>   part000.txt - is OK
>>
>> http://www.eset.com
>>
>>
>>
>>   
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Javor Ninov aka DrFrancky
drfrancky shift+2 securax.org


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ