Full Disclosure mailing list archives

Re: Javascript

From: "Thomas Pollet" <thomas.pollet () gmail com>
Date: Mon, 14 Jan 2008 17:03:13 +0100

Hello,

fyi: I found the sitecatalyst software running on paypal.com to be
vulnerable to xss in the past. (unfiltered referer url was used as a
javascript value). Omniture/paypal didn't respond to my emails, paypal
fixed the issue after public disclosure.

Regards,
Thomas Pollet

On 14/01/2008, Michael Holstein <michael.holstein () csuohio edu> wrote:

This is from a current CNN home page:

/* SiteCatalyst code version: H.10.
Copyright 1997-2007 Omniture, Inc. More info available at
http://www.omniture.com */


Omniture is one of (many) sites that do tracking for companies .. like
what your mouse moves over, how long it stays there, how long you view
each page, etc. etc.

This is why you should disable javascript for any site you don't
explicitly trust (FYI: by default, NoScript for Firefox allows *msn.com
*google.com, and a bunch of other stuff you probably don't want).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Javascript scott (Jan 12)
- Re: Javascript damncon (Jan 13)
  - Re: Javascript Michael Holstein (Jan 14)
    - Re: Javascript Thomas Pollet (Jan 14)