Vulnerability Development mailing list archives
Re: Cross site scripting @verisign.com and @cybercash.com
From: Tim Morgan <tmorgan-security () kavi com>
Date: Sat, 20 Apr 2002 20:56:17 -0700
http://www.cybercash.com/<script>alert('hi')</script> or http://www.verisign.com/ <http://www.cybercash.com/><script>alert('hi')</script> Not sure how big a deal this is... but seeing as how the name verisign is associated with "Security" I think it should be looked at. This didn't work from my Mozilla browser on linux but it did from IE on win2k... could be a browser detection method causing the varied results.
I noticed this on CyberCash a few weeks ago, but didn't think much of it since their site is on the chopping block. Hadn't checked VeriSign yet though, good find. One interesting point is that CyberCash seems to use cookies for authentication. At this point in time, AFAIK, you can't glean CC numbers from the site, but before VeriSign swallowed CyberCash, there were some interfaces that allowed you to get credit card numbers for certain transactions. It is scary and pathetic that such things go on. tim
Current thread:
- Re: Cross site scripting @verisign.com and @cybercash.com zeno (Apr 19)
- <Possible follow-ups>
- Cross site scripting @verisign.com and @cybercash.com KF (Apr 19)
- Re: Cross site scripting @verisign.com and @cybercash.com Tim Morgan (Apr 20)
- Re: Cross site scripting @verisign.com and @cybercash.com kristalaz (Apr 22)