| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <dd5f5ac90801140803m338a3988xeafbf02306fca4a1@mail.gmail.com> Date: Mon, 14 Jan 2008 17:03:13 +0100 From: "Thomas Pollet" <thomas.pollet@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Javascript Hello, fyi: I found the sitecatalyst software running on paypal.com to be vulnerable to xss in the past. (unfiltered referer url was used as a javascript value). Omniture/paypal didn't respond to my emails, paypal fixed the issue after public disclosure. Regards, Thomas Pollet On 14/01/2008, Michael Holstein <michael.holstein@...ohio.edu> wrote: > > > This is from a current CNN home page: > > > > /* SiteCatalyst code version: H.10. > > Copyright 1997-2007 Omniture, Inc. More info available at > > http://www.omniture.com */ > > Omniture is one of (many) sites that do tracking for companies .. like > what your mouse moves over, how long it stays there, how long you view > each page, etc. etc. > > This is why you should disable javascript for any site you don't > explicitly trust (FYI: by default, NoScript for Firefox allows *msn.com > *google.com, and a bunch of other stuff you probably don't want). > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists