Re: [Full-disclosure] news XSS on paypal.com

[[EMAIL PROTECTED]]

This is such scenario we should see in the poc and not a usual boxe spamming a website ... This does not really alerts a web admin I think. Thanks anyway for the informations. php0t wrote: If it works, then you can plant iframes in popular websites so that when somebody visits them and they happen to be logged on to paypal at the same time, the injected _javascript_ could make a transaction using the victim's (visitor's) creditentials. This can all happen without alerting the user. (There might be some circumstances blocking this in practice, like if they require a Turing test for completing money transactions etc). php0t ps: a poc showing how to fake a whole webpage?! :-) I wonder what is interesting in this , usually a poc show us we can upload a crafted webpage on a vulnerable website, fake a whole webpage, etc, this link doesnt speak much than the noob who found it. Pigrelax wrote: www.paypal.com/cgi-bin/webscr?cmd=p/gen/--></script><script>alert('www _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __________ NOD32 1.1674 (20060722) Information __________ This message was checked by NOD32 antivirus system. part000.txt - is OK http://www.eset.com

begin:vcard
fn:Arnaud Dovi / Ind. Security Researcher
n:Dovi;Arnaud
email;internet:[EMAIL PROTECTED]
tel;work:Independent Security Researcher
version:2.1
end:vcard


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/