Full Disclosure mailing list archives
PayPal Send Money Cross-Site Scripting Vulnerability
From: Nathan Power <np () securitypentest com>
Date: Sat, 1 Jan 2011 15:51:05 -0500
-------------------------------------------------------------------------------- 1. Summary: PayPal's send money feature is affected by an XSS (cross-site scripting) vulnerability. -------------------------------------------------------------------------------- 2. Description: When sending money via PayPal, the sender has an option to input a message along with the money being sent. A malicious attacker can inject XSS code into this message box because it fails to validate input. When the victim goes to view the transaction page the injected code will execute. -------------------------------------------------------------------------------- 3. Impact: Potentially allow an attacker access to a victim’s PayPal account. -------------------------------------------------------------------------------- 4. Affected Products: www.paypal.com -------------------------------------------------------------------------------- 5. Solution: None -------------------------------------------------------------------------------- 6. Time Table: 12/06/2010 Reported Vulnerability to the Vendor 12/07/2010 Vendor Acknowledge Vulnerability -------------------------------------------------------------------------------- 7. Credits: Discovered by Nathan Power www.securitypentest.com --------------------------------------------------------------------------------
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- PayPal Send Money Cross-Site Scripting Vulnerability Nathan Power (Jan 03)