Vulnerability Development mailing list archives

Re: Cross site scripting @verisign.com and @cybercash.com

From: Tim Morgan <tmorgan-security () kavi com>
Date: Sat, 20 Apr 2002 20:56:17 -0700

http://www.cybercash.com/<script>alert('hi')</script>

or 

http://www.verisign.com/ 
<http://www.cybercash.com/><script>alert('hi')</script>

Not sure how big a deal this is... but seeing as how the name verisign 
is associated with "Security" I think it should be looked at. This 
didn't work from my Mozilla browser on linux but it did from IE on 
win2k... could be a browser detection method causing the varied results.


I noticed this on CyberCash a few weeks ago, but didn't think much of it
since their site is on the chopping block.  Hadn't checked VeriSign yet
though, good find.  One interesting point is that CyberCash seems to use
cookies for authentication.  At this point in time, AFAIK, you can't glean CC
numbers from the site, but before VeriSign swallowed CyberCash, there
were some interfaces that allowed you to get credit card numbers for
certain transactions.  It is scary and pathetic that such things go on.

tim

Current thread:

Re: Cross site scripting @verisign.com and @cybercash.com zeno (Apr 19)
- <Possible follow-ups>
- Cross site scripting @verisign.com and @cybercash.com KF (Apr 19)
  - Re: Cross site scripting @verisign.com and @cybercash.com Tim Morgan (Apr 20)
  - Re: Cross site scripting @verisign.com and @cybercash.com kristalaz (Apr 22)
    - Re: Cross site scripting @verisign.com and @cybercash.com KF (Apr 22)