I find it humorous that an organization that pretends to be a bank and regularly steals money from its members has the balls to distribute a "PayPal Responsible Disclosure Policy."
Good luck with that. Randy On Fri, March 26, 2010 10:49 pm, Orbeton, Jon wrote: > All: > > The XSS vulnerability reported below was addressed at approximately 17:45 > PDT today. > > For information about how to report security issues to PayPal, please > refer to the PayPal Responsible Disclosure Policy documented here: > https://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/ReportingSecurityIssues-outside > > Site security issues should be reported to: > [email protected] > > All reports will be handled professionally and quickly. A PGP key is > available at the URL above. > > > Thanks, > Jon Orbeton > > PayPal, an eBay Company > > ============================================ > > From: Wesley Kerfoot <wjak56 () gmail com> > Date: Fri, 26 Mar 2010 15:46:09 -0400 > > Paypal is affected by an XSS vulnerability where it fails to validate > input for the following url: > > https://www.paypal.com/xclick/business= > > One can add arbitrary javascript with no need for any filter evasion. > > https://www.paypal.com/xclick/business=<script> alert("xss"); > </script> > > > As far as I know only the above url is affected. All of the usual XSS > attacks will work with this. > > Cheers. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
